Hello everyone this is my first writeup. I don’t really have that much experience writing. There will be mistakes, please tell me where I did wrong and I promise that I will not repeat those mistakes. All kinds of suggestions are appreciated. Thank you.
As we all know first rule of penetesting is enumeration. so i did a quick nmap TCP scan.
here we can see alot of open ports. let’s check port 80 first or we can enumerate smtp too but first http.
here we see not so attractive homepage but there is something interesting those elements. first i thought we will get something with their names, sadly didn’t get anything after that i checked their atomic number and i got all decimal numbers.
47 80 73 51 84 46 80 78 103
and when i put it on cyberchef i got following output.
and ladies and gentleman that’s out first answer to the hidden file: PI3T.Png
now time to see that image.
honestly i don’t have any idea what this is,maybe some kind of modern art.
i downloaded it and checked details using exif tool. i got artist name.
and that’s right there is our second answer to the file creator name: Piet Mondrian
we have a .png file now and nothing else so anyone can think about Steganography. i tried binwalk nothing and of course we can’t use .png files on steghide. so what did i do? i searched. searched for other people’s writeup. hey! i am noob ok i am learning and it’s totally ok to see writeups. so i found out that there is an online site for steganography. there is an awesome resources for all kind of steganography: https://0xrick.github.io/lists/stego/ .
from here i found a site https://www.bertnase.de/npiet/npiet-execute.php where we can upload images and it decrypt it basically.
ladies and gentleman we ggot our username and password from here: nagiosadmin:n3p3UQ&9BjLp4$7uhWdY
now what? we can try ssh with these username but it failed. so i ran gobuster. if you don’t know what gobuster is then in simpler words it searches for directories in websites.
here we can see /nagios. when we try to visit that page a dialogue box appears asking us username and pass. it’s name is nagios and we have nagiosadmin pass. so i put the same username and pass we got.
we can see application name and it’s version here. we can search for exploits now.
when we open that file we see this:
answer to the cve number:CVE-2019–15949
now, as instructed open metasploit. search cve-2019–15949
you will see result and also answer to next question: exploit/linux/http/nagios_xi_plugins_check_authenticated_rce
use that exploit. set options and run. congratulations you got your meterpreter reverse shell connection with root privileges.
play around you will see user.txt at /home/galand and root.txt at /root.
answer to the user.txt: THM{84b17add1d72a9f2e99c33bc568ae0f1}
root.txt: THM{c89b2e39c83067503a6508b21ed6e962}
easy right? haha not really. ok with saying that we have successfully completed tryhackme’s Nax CTF step wise step. This was really fun and thank you tryhackme and creator of this room for this awesome and knowledgeable CTF. And also thank you for you all to read this writeup. i will keep posting more writeups so make sure you guys follow me alright? haha goodbye! hackers,keep hacking.
