Nax — TryHackMe — Writeup
Hello. I’m Rahmos. Here is my Nax — TryHackMe — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- -v <ip>
There are 5 ports opened: 22(SSH), 25 (SMTP), 80 (HTTP), 389 (LDAP), 443 (HTTPS).
First, let’s access the website at port 80:
Find hidden dirs using gobuster:
gobuster dir -u http://<ip>:80/ -w /path-to-wordlist -x txt,php,html
There is a “/nagios” but I need credential to access this webpage:
I haven’t known the credential yet, so just skip it for now. Looks like there’s nothing more I can find at port 80. So let’s move to port 443.
Again use gobuster:
gobuster dir -u https://<ip> -w /path-to-wordlist -k -x php,html,txt
But I still cannot find anything! Is there a trick? 😐
Take a look again at the elements.. I tried to lookup them in the periodic table, and I found something interesting:
Ag : 47
Put all the number to http://icyberchef.com/ and decode from Decimal, I found an image: PI3T.PNg
Let’s access this image:
It’s time for steganography. Download the image and use exiftool to see metadata:
So the creator of this image is Piet Mondrian.
Now I’ll find the username and password to login to /nagios. I google “default credential nagios” and found this:
So let’s try “nagiosadmin” as the username and it’s the correct answer. However, password is not the default one. So again, I focus on steganography and found this github repo. Scroll down and I find a clue:
The name of this tool is very similar to the image name. So let’s access it and upload our piet image.
And yes, I’ve found the password.
Note that the “%” symbol is separator between username and password.
So let’s login to /nagios with the credential I’ve found:
It’s only the default page of nagios, not where I can login to the admin panel. So I tried Google more about nagios and found the right page to admin login: /nagiosxi:
Login and I’ll be in the admin panel:
Now look at the description and you’ll find the CVE number:
Search for exploit using metasploit:
And I’ve found the RCE module. Go ahead and use it. Also copy the path, it’ll be the next answer.
Type “options” to see which field I need to set, and there are 3 fields required:
RHOSTS: the target ip
PASSWORD: the password I’ve found above
LHOST: your VPN ip
After everything is set, “run”!
And yes, I’ve got the reverse shell into the machine! Move around and get the user.txt flag:
Now type “shell” to spawn a shell into the machine. After that, spawn a tty shell using python:
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
I’m root already! Get the final flag: