Nax — TryHackMe — Writeup

Hello. I’m Rahmos. Here is my Nax — TryHackMe — Writeup. Check it out!

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- -v <ip>

nmap

There are 5 ports opened: 22(SSH), 25 (SMTP), 80 (HTTP), 389 (LDAP), 443 (HTTPS).

First, let’s access the website at port 80:

port 80

Find hidden dirs using gobuster:

gobuster dir -u http://<ip>:80/ -w /path-to-wordlist -x txt,php,html

gobuster

There is a “/nagios” but I need credential to access this webpage:

/nagios

I haven’t known the credential yet, so just skip it for now. Looks like there’s nothing more I can find at port 80. So let’s move to port 443.

port 443

Again use gobuster:

gobuster dir -u https://<ip> -w /path-to-wordlist -k -x php,html,txt

But I still cannot find anything! Is there a trick? 😐

Take a look again at the elements.. I tried to lookup them in the periodic table, and I found something interesting:

Ag : 47
Hg: 80
Ta: 73
Sb: 51
Po: 84
Pd: 46
Hg: 80
Pt: 78
Lr: 103

Put all the number to http://icyberchef.com/ and decode from Decimal, I found an image: PI3T.PNg

icyberchef

Let’s access this image:

/PI3T.PNg

It’s time for steganography. Download the image and use exiftool to see metadata:

exiftool PI3T.PNg

exiftool

So the creator of this image is Piet Mondrian.

Now I’ll find the username and password to login to /nagios. I google “default credential nagios” and found this:

default credential

So let’s try “nagiosadmin” as the username and it’s the correct answer. However, password is not the default one. So again, I focus on steganography and found this github repo. Scroll down and I find a clue:

The name of this tool is very similar to the image name. So let’s access it and upload our piet image.

npiet online
password

And yes, I’ve found the password.
Note that the “%” symbol is separator between username and password.

So let’s login to /nagios with the credential I’ve found:

/nagios

It’s only the default page of nagios, not where I can login to the admin panel. So I tried Google more about nagios and found the right page to admin login: /nagiosxi:

/nagosxi

Login and I’ll be in the admin panel:

admin panel

Now look at the description and you’ll find the CVE number:

Search for exploit using metasploit:

metasploit

And I’ve found the RCE module. Go ahead and use it. Also copy the path, it’ll be the next answer.

Type “options” to see which field I need to set, and there are 3 fields required:

RHOSTS: the target ip

PASSWORD: the password I’ve found above

LHOST: your VPN ip

After everything is set, “run”!

meterpreter shell

And yes, I’ve got the reverse shell into the machine! Move around and get the user.txt flag:

user.txt

Now type “shell” to spawn a shell into the machine. After that, spawn a tty shell using python:

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

tty shell

I’m root already! Get the final flag:

root.txt

The end.

HAPPY HACKING

I’m Groot