Mapping CTF Techniques to the MITRE ATT&CK Framework: TryHack3M: Bricks Heist
Hello, World!
This article dives into my fourth entry in the Let’s CTF series, where I explore how Capture the Flag (CTF) tactics align with real-world attacker techniques. By leveraging the MITRE ATT&CK framework, I’ll break down each step of my CTF challenge to show you how common cybersecurity vulnerabilities are exploited and how to analyze attacks with a structured approach.
The target for this exercise was a vulnerable machine themed around “Bricks,” a TryHackMe CTF. Let’s walk through my methods, the MITRE techniques used, and how these relate to actual threat actions in the wild.
Step 1: Preparing for Attack — Reconnaissance and Initial Setup
To start, I needed a way to reliably access and map the target machine’s IP address, so I began with basic setup tasks: adding the target domain to my system’s /etc/hosts file. This change allowed me to resolve the domain name easily.
MITRE Technique Used:
- T1071.001 — Application Layer Protocol
This tactic uses standard web protocols to facilitate communication with the target, such as HTTP or HTTPS.
Step 2: Port Scanning with RustScan
With basic setup complete, I initiated a RustScan port scan to quickly identify open ports on the target. RustScan enabled a fast check, which showed open ports (22, 80, 443, 3306). Identifying these ports early is critical to understanding the machine’s attack surface and prioritizing possible entry points.
MITRE Technique Used:
- T1046 — Network Service Scanning
Attackers use this technique to discover accessible network services, a common first step to better understand the system’s exposure.
Step 3: Exploring the Web Application
The port scan revealed a web server running on the target, so I accessed it in a browser. Here, I discovered that the server used WordPress. The robots.txt file and other web directories provided some hints but no sensitive information. From experience, I knew WordPress can often harbor vulnerabilities, especially with outdated themes and plugins, so I focused on this avenue.
MITRE Technique Used:
- T1190 — Exploit Public-Facing Application
Attackers often exploit internet-facing applications, such as CMSs, to gain unauthorized access.
Step 4: Exploiting a WordPress Vulnerability
After confirming the target WordPress theme was called “Bricks,” I investigated its version. My research revealed that “Bricks” was susceptible to Remote Code Execution (RCE). I located an exploit online, downloaded it, and successfully ran it against the machine to gain shell access.
MITRE Technique Used:
- T1190 — Exploit Public-Facing Application
Successfully exploiting WordPress allowed me entry, a step attackers would take to establish an initial foothold in a compromised environment.
Step 5: Maintaining Access with Reverse Shell Attempt
With a basic shell in place, I sought to establish a reverse shell using Netcat for persistent access. Unfortunately, I ran into several configuration issues, so I couldn’t get a stable reverse shell connection, but I still had functional shell access for further steps.
MITRE Technique Used:
- T1071.001 — Application Layer Protocol
Setting up a reverse shell involves protocols that allow for consistent communication, often used by attackers for ongoing control.
Step 6: Searching for Sensitive Data and Flags
Next, I navigated through files on the server and quickly located some initial flags and configuration files, which held useful information about the server’s state and application settings.
MITRE Technique Used:
- T1005 — Data from Local System
CTFs and attackers alike commonly search for sensitive information in local files as soon as they gain access to a system.
Step 7: Investigating Running Processes
To probe further, I listed running processes on the server. I found a suspicious service, “nm_dialogue,” that was potentially linked to a cryptocurrency miner. This discovery suggested the system was being used for unauthorized mining activity, making the CTF’s challenge more intriguing.
MITRE Technique Used:
- T1057 — Process Discovery
Attackers use this tactic to inspect active processes, identify unusual services, and locate potential malicious software running in a system.
Step 8: Identifying the Miner Configuration
After confirming mining activity, I dug deeper into configuration files and logs for evidence of cryptocurrency wallet addresses or mining pools. These configurations pointed to a wallet address, suggesting an active mining instance on the compromised server.
MITRE Technique Used:
- T1005 — Data from Local System
By accessing configuration files, I gathered critical data for understanding the target machine’s vulnerabilities and purpose.
Step 9: Analyzing the Wallet for Attribution
To trace the wallet address further, I investigated the wallet’s blockchain transaction history. This transaction analysis pointed back to a specific group known for using similar techniques in cryptocurrency mining campaigns: the LockBit ransomware group. While attribution wasn’t the primary objective of the challenge, this step mimicked real-world threat hunting by connecting the wallet address to known threat actors.
MITRE Technique Used:
- T1071.004 — Application Layer Protocol (Custom)
Tracking cryptocurrency wallets and analyzing blockchain transactions is a common practice in threat intelligence for attributing ransomware and other attack campaigns.
Summary: Mapping CTF Techniques to MITRE ATT&CK
This CTF was a well-rounded introduction to how attackers use structured methodologies to target systems. Below is a quick recap of MITRE ATT&CK techniques we covered:
Conclusion
Through this exercise, I explored and mapped each step to the MITRE ATT&CK framework, linking CTF strategies to real-world threats. For security practitioners, this structured approach provides insight into attacker methodologies, bridging the gap between theory and practice.
Stay tuned for more, and happy hunting!
