Nax CTF — TryHackMe

6 min readSep 19, 2021

Hello, everyone!
Back with another write-up, this time for TryHackMe’s Nax CTF.
Nax is a medium difficulty machine, that focuses on CVE-2019–15949 (Nagios XI Authenticated Remote Command Execution) and what might go wrong when you are way too lazy to upgrade on a newer version, especially with a severity as high as a solid 8.8/10 on CVSS 3 scale.

Proposed soundtrack:https://www.youtube.com/watch?v=sf6LD2B_kDQ

Enumeration

As always, let’s fire up Nmap to check with what we are dealing with for this challenge.

nmap -sC -sV 10.10.48.194
Starting Nmap 7.60 ( https://nmap.org ) at 2021–09–19 18:31 BST
Nmap scan report for ip-10–10–48–194.eu-west-1.compute.internal (10.10.48.194)
Host is up (0.0011s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
| 256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
|_ 256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (EdDSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020–03–23T23:42:04
|_Not valid after: 2030–03–21T23:42:04
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X — 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020–03–24T00:14:58
|_Not valid after: 2030–03–22T00:14:58
|_ssl-date: TLS randomness does not represent time
MAC Address: 02:C8:AF:6B:8D:B3 (Unknown)
Service Info: Host: ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Ok, a couple of things are going on. First things first, we have an open SSH port on an Ubuntu Server (probably a Xenial 16.04 based on the OpenSSH version). On the machine, there seems to be running a mail server on the default 25 smtp port and OpenLDAP on port 389. Now, I am grouping those two together, because, although there were there and no matter how much I have enumerated them, I did not find anything of interest there. However, if you are interesting on SMTP/OpenLDAP enumeration, here and here are two very useful guides.
So, let’s focus on the site running on either port 80/443. Upon visiting the site the landing page, is this.

First honest reaction? Well, what the heck is this! I’ve checked out the source code in case there were something of interest there but no luck. In the meanwhile, I had already triggered gobuster for crawling the site and while it was doing its thing, I was trying to figure the above thing out.

gobuster dir -u http://10.10.48.194/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,tar,txt,cgi

After a while, a Full Metal Alchemist vibe hit me, and I remembered that on the periodic table, every element is accompanied by a unique number which is equivalent to its atomic number (apologies if I am mistaken here, it’s been quite some time since my last Chemistry lessons back to the High School era).

So, the Ag-Hg-Ta-Sb-Po-Pd-Hg-Pt-Lr is translated into 47– 80– 73– 51– 84 –46–80–78–103. But again, it does not seems to be something meaningful, right? Let’s check to what that numbers correspond into ASCII. And BINGO! It seems that we got something there (and at that point I was really hoping not a mighty rabbit hole!).

Ok, we’ve got a png file and first thing that comes in mind when dealing with such things is exiftool. So, I’ve downloaded the file locally in order to check. Not much, to be honest, apart from the name of the artist. I, also, ran steghide but I didn’t get something back.

Exiftool info.

Let’s do some OSINT work and search for that Piet Mondrian guy (who is actually a Dutch painter born in 1872, one of the pioneers of 20th-century abstract art). After a lot (and I really mean a lot) search, I came across this page with a stego tool that reminded the name of our artist.

Clicking on the link, I was redirected on a website which I could upload an image and get back something that might be hidden on it, I guess. So, I uploaded our png file and what I got was really satisfying.

Upon a quick search on Google, we can find that the default credentials for Nagios are nagiosadmin:PASSW0RD,which means that we might have found the username/password hidden within the image. And at that moment, I remembered that I had launched gobuster some ages ago, but I never checked out the outcome due to being to busy searching the image thing. So, here’s what its outcome was.

Without any further thought, I jumped quickly to the /index.php page and came across the Nagios Login Page. Breath deep, the moment of truth, let’s check if the credentials we collected are actually any good.

Sweet! We absolutely nailed it! Time to set up our attack.

CVE-2019–15949

Well, the tag of the challenge already gives it away, so no much to search here. In some more details, Nagios versions prior and up until version 5.5.6 are vulnerable to an Authenticated Remote Command Execution Attack that can offer the offensive side root rights on the victim machine (the Nagios version is visible upon logging in, on the bottom left side of the page, so we can be double verify that we are working with a vulnerable version) . For more details, on how the attack actually works, please check Rapid7’s report.