Nmap result :
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Python http.server 3.5 - 3.10
443/tcp open ssl/http Apache httpd
3306/tcp open mysql MySQL (unauthorized)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Opening the web page at https://briks.thm reveals it is running WordPress. The machine is very slow to respond to HTTPS requests.
Since it’s running WordPress, we check for vulnerabilities using wpscan adding --disable-tls-checks and the API token for a complete scan without errors for https.
We immediately notice an RCE vulnerability:
| [!] Title: Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution
| Fixed in: 1.9.6.1
By exploiting any exploit related to this vulnerability (CVE-2024–25600) (in the environment due to problems installing the necessary modules for the exploit), we obtain a shell and can read the hidden file :
THM{fl46_650c844110baced87e1606453b93f22a}
The next question asked is “What is the name of the suspicious process?“. We try to see the running services with the command systemctl | grep running (hint).
Indeed, we find a service with a strange description TRYHACK3M:
ubuntu.service loaded active running TRYHACK3M
Now we want to get more information about this “service”, and we do so with systemctl status ubuntu.service:
apache@tryhackme:/data/www/default$ systemctl status ubuntu.service
systemctl status ubuntu.service
● ubuntu.service - TRYHACK3M
Loaded: loaded (/etc/systemd/system/ubuntu.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2025-08-29 12:14:10 UTC; 3min 27s ago
Main PID: 81533 (nm-inet-dialog)
Tasks: 2 (limit: 4671)
Memory: 30.6M
CGroup: /system.slice/ubuntu.service
├─81533 /lib/NetworkManager/nm-inet-dialog
└─81534 /lib/NetworkManager/nm-inet-dialog
So the “suspicious” process we are looking for is nm-inet-dialog and the affiliated service is ubuntu.service. Indeed, if we search online for nm-inet-dialog, we find that it is related to a crypto malware. In this online analysis, we will find a lot of information that will answer the subsequent questions.
The next question is “What is the log file name of the miner instance?“.
If we take a look at the online analysis, we find that this malware is related to a folder in /tmp. I tried to check the permissions but I cannot enter that folder. By further analyzing online, I found a log file /usr/lib/NetworkManager/inet.conf, which is the one we are looking for.
The next question is “What is the wallet address of the miner instance?“. Inside the log file, I found a log line containing a certain ID:
2024-04-08 10:54:25,059 [*] Miner()
ID: 5757314e65474e5962484a4f656d787457544e424e574648555446684d3070735930684b616c70555a7a566b52335276546b686b65575248647a525a57466f77546b64334d6b347a526d685a6255313459316873636b35366247315a4d304531595564476130355864486c6157454a3557544a564e453959556e4a685246497a5932355363303948526a4a6b52464a7a546d706b65466c525054303d
It is surely the wallet address we are looking for. It seems to be something in hex since it only contains hex symbols. I try to decode it with echo <ID> | xxd -r -p (we can also directly use CyberChef, which is better because it gives an immediate analysis) and indeed I get a base64 hash:
WW1NeGNYbHJOemxtWTNBNWFHUTFhM0psY0hKalpUZzVkR3RvTkhkeWRHdzRZWFowTkd3Mk4zRmhZbU14Y1hsck56bG1ZM0E1YUdGa05XdHlaWEJ5WTJVNE9YUnJhRFIzY25Sc09HRjJkRFJzTmpkeFlRPT0=
which I convert and get:
mMxcXlrNzlmY3A5aGQ1a3JlcHJjZTg5dGtoNHdydGw4YXZ0NGw2N3FhYmMxcXlrNzlmY3A5aGFkNWtyZXByY2U4OXRraDR3cnRsOGF2dDRsNjdxYQ==
which I convert again and get:
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qabc1qyk79fcp9had5kreprce89tkh4wrtl8avt4l67qa
OK, it seems to be the address we are looking for but repeated twice. The original one is:
bc1qyk79fcp9hd5kreprce89tkh4wrtl8avt4l67qa
The next question is: “The wallet address used has been involved in transactions between wallets belonging to which threat group?”
After extensive online research using the Bitcoin explorer and analyzing related transactions, I found that the transaction bc1q5jqgm7nvrhaw2rh2vk0dk8e4gg5g373g0vz07r is linked to an article on the OFAC website, which provides the answer: LockBit.