Nax — TryHackMe — Writeup

TonyRahmos

4 min readNov 26, 2020

Hello. I’m Rahmos. Here is my Nax — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

There are 5 ports opened: 22(SSH), 25 (SMTP), 80 (HTTP), 389 (LDAP), 443 (HTTPS).

First, let’s access the website at port 80:

Find hidden dirs using gobuster:

gobuster dir -u http://<ip>:80/ -w /path-to-wordlist -x txt,php,html

There is a “/nagios” but I need credential to access this webpage:

I haven’t known the credential yet, so just skip it for now. Looks like there’s nothing more I can find at port 80. So let’s move to port 443.

Again use gobuster:

gobuster dir -u https://<ip> -w /path-to-wordlist -k -x php,html,txt

But I still cannot find anything! Is there a trick? 😐

Take a look again at the elements.. I tried to lookup them in the periodic table, and I found something interesting:

Ag : 47
Hg: 80
Ta: 73
Sb: 51
Po: 84
Pd: 46
Hg: 80
Pt: 78
Lr: 103

Put all the number to http://icyberchef.com/ and decode from Decimal, I found an image: PI3T.PNg

Let’s access this image:

It’s time for steganography. Download the image and use exiftool to see metadata:

exiftool PI3T.PNg

exiftool

So the creator of this image is Piet Mondrian.

Now I’ll find the username and password to login to /nagios. I google “default credential nagios” and found this:

So let’s try “nagiosadmin” as the username and it’s the correct answer. However, password is not the default one. So again, I focus on steganography and found this github repo. Scroll down and I find a clue:

The name of this tool is very similar to the image name. So let’s access it and upload our piet image.

And yes, I’ve found the password.
Note that the “%” symbol is separator between username and password.

So let’s login to /nagios with the credential I’ve found:

It’s only the default page of nagios, not where I can login to the admin panel. So I tried Google more about nagios and found the right page to admin login: /nagiosxi: