Mapping CTF Techniques to the MITRE ATT&CK Framework: TryHack3M: Bricks Heist

itsShotgun
4 min readNov 7, 2024

--

Hello, World!
This article dives into my fourth entry in the Let’s CTF series, where I explore how Capture the Flag (CTF) tactics align with real-world attacker techniques. By leveraging the MITRE ATT&CK framework, I’ll break down each step of my CTF challenge to show you how common cybersecurity vulnerabilities are exploited and how to analyze attacks with a structured approach.

The target for this exercise was a vulnerable machine themed around “Bricks,” a TryHackMe CTF. Let’s walk through my methods, the MITRE techniques used, and how these relate to actual threat actions in the wild.

Step 1: Preparing for Attack — Reconnaissance and Initial Setup

To start, I needed a way to reliably access and map the target machine’s IP address, so I began with basic setup tasks: adding the target domain to my system’s /etc/hosts file. This change allowed me to resolve the domain name easily.

MITRE Technique Used:

  • T1071.001 — Application Layer Protocol
    This tactic uses standard web protocols to facilitate communication with the target, such as HTTP or HTTPS.

Step 2: Port Scanning with RustScan

With basic setup complete, I initiated a RustScan port scan to quickly identify open ports on the target. RustScan enabled a fast check, which showed open ports (22, 80, 443, 3306). Identifying these ports early is critical to understanding the machine’s attack surface and prioritizing possible entry points.

MITRE Technique Used:

  • T1046 — Network Service Scanning
    Attackers use this technique to discover accessible network services, a common first step to better understand the system’s exposure.

Step 3: Exploring the Web Application

The port scan revealed a web server running on the target, so I accessed it in a browser. Here, I discovered that the server used WordPress. The robots.txt file and other web directories provided some hints but no sensitive information. From experience, I knew WordPress can often harbor vulnerabilities, especially with outdated themes and plugins, so I focused on this avenue.

MITRE Technique Used:

  • T1190 — Exploit Public-Facing Application
    Attackers often exploit internet-facing applications, such as CMSs, to gain unauthorized access.

Step 4: Exploiting a WordPress Vulnerability

After confirming the target WordPress theme was called “Bricks,” I investigated its version. My research revealed that “Bricks” was susceptible to Remote Code Execution (RCE). I located an exploit online, downloaded it, and successfully ran it against the machine to gain shell access.

MITRE Technique Used:

  • T1190 — Exploit Public-Facing Application
    Successfully exploiting WordPress allowed me entry, a step attackers would take to establish an initial foothold in a compromised environment.

Step 5: Maintaining Access with Reverse Shell Attempt

With a basic shell in place, I sought to establish a reverse shell using Netcat for persistent access. Unfortunately, I ran into several configuration issues, so I couldn’t get a stable reverse shell connection, but I still had functional shell access for further steps.

MITRE Technique Used:

  • T1071.001 — Application Layer Protocol
    Setting up a reverse shell involves protocols that allow for consistent communication, often used by attackers for ongoing control.

Step 6: Searching for Sensitive Data and Flags

Next, I navigated through files on the server and quickly located some initial flags and configuration files, which held useful information about the server’s state and application settings.

MITRE Technique Used:

  • T1005 — Data from Local System
    CTFs and attackers alike commonly search for sensitive information in local files as soon as they gain access to a system.

Step 7: Investigating Running Processes

To probe further, I listed running processes on the server. I found a suspicious service, “nm_dialogue,” that was potentially linked to a cryptocurrency miner. This discovery suggested the system was being used for unauthorized mining activity, making the CTF’s challenge more intriguing.

MITRE Technique Used:

  • T1057 — Process Discovery
    Attackers use this tactic to inspect active processes, identify unusual services, and locate potential malicious software running in a system.

Step 8: Identifying the Miner Configuration

After confirming mining activity, I dug deeper into configuration files and logs for evidence of cryptocurrency wallet addresses or mining pools. These configurations pointed to a wallet address, suggesting an active mining instance on the compromised server.

MITRE Technique Used:

  • T1005 — Data from Local System
    By accessing configuration files, I gathered critical data for understanding the target machine’s vulnerabilities and purpose.

Step 9: Analyzing the Wallet for Attribution

To trace the wallet address further, I investigated the wallet’s blockchain transaction history. This transaction analysis pointed back to a specific group known for using similar techniques in cryptocurrency mining campaigns: the LockBit ransomware group. While attribution wasn’t the primary objective of the challenge, this step mimicked real-world threat hunting by connecting the wallet address to known threat actors.

MITRE Technique Used:

  • T1071.004 — Application Layer Protocol (Custom)
    Tracking cryptocurrency wallets and analyzing blockchain transactions is a common practice in threat intelligence for attributing ransomware and other attack campaigns.

Summary: Mapping CTF Techniques to MITRE ATT&CK

This CTF was a well-rounded introduction to how attackers use structured methodologies to target systems. Below is a quick recap of MITRE ATT&CK techniques we covered:

Conclusion

Through this exercise, I explored and mapped each step to the MITRE ATT&CK framework, linking CTF strategies to real-world threats. For security practitioners, this structured approach provides insight into attacker methodologies, bridging the gap between theory and practice.

Stay tuned for more, and happy hunting!

--

--

itsShotgun
itsShotgun

Written by itsShotgun

Hello World Shotgun here, I'm a cybersecurity Enthusiast https://www.youtube.com/@itsShotgun

No responses yet