Skip to content

Nax

What hidden file did you find?

Starting enumeration with a quick scan, nmap -T4 $ip, I found that this machine has the following ports open: - 22 - ssh - 25 - smtp - 80 - http - 389 - ldap - 443 - https

I'll start a more in-depth scan of these ports and also a directory enumeration using gobuster, and while waiting for them to finish start manual exploration of the website: - nmap $ip -T4 -sVC -p22,25,80,389,443 -oN versions.nmap - gobuster dir -u "http://$ip" -w /usr/share/wordlists/dirbuster

Navigating to the server's IP in my browser, I arrive at an unusual page. Pressing CTRL+u to view the page's source, there's a comment in the HTML which reads "/nagiosxi/", which has some resemblance in spelling to the name of this challenge, Nax. image

As eluded to in the challenge's description, Nagios XI is an enterprise tool for monitoring infrastructure.

At this point I spent significant time trying to enumerate the Nagios instance for vulnerabilities and returned to this page empty handed. However, taking the text about "elements" itself as a hint, I realized that each of the two-character strings are the symbol of an element on the periodic table. Each element is associated with a number, and writing them out in order, I have the following: Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr 47 - 80 - 73 - 51 - 84 - 46 - 80 - 78 - 103 If we interpret number as an ASCII character, we get: / - P - I - 3 - T - . - P - N - g Navigating to /PI3T.PNg (case-sensitive, with lowercase 'g'), we get an interesting file. This filename is the answer to the first guiding question.

image

Who is the creator of the file?

To display this file's metadata, which could include the creator, we can use exiftool.

image

Under "Artist" we find the creator's name.

What is the username you found?

With the artist/creator matching the filename, it seem that the challenge is telling us to pay attention to the name "Piet". With some research, it turns out that Piet is an esoteric programming language which uses images like this as its code. https://esolangs.org/wiki/Piet

I found an online Piet interpreter, npiet online, and although I had some issues at first ("libpng error: Not enough image data"), I exported the image as a .ppm file using GIMP to retry. This time it failed due to the upload's size being too large... this meant my next task was to try using the interpreter locally. I downloaded the source code from https://www.bertnase.de/npiet/npiet-1.3f.tar.gz, extracted it, and then followed these steps described in README.piet to get started: - ./configure - make Now I had an npiet executable, and ran it (after moving my ppm file the the same directory) with ./npiet PI3T.ppm. The program printed a wall of text to the terminal that didn't seem to end, so I stopped its execution. In the text, I noticed nagiosadmin which turns out to be the username that we're looking for.

What is the password you found?

The password is all of the text following '%', but before the next "nagiosadmin".

What is the CVE number for this vulnerability? / Full path of exploitation module?

Now that we seem to have credentials, I'll try the login page on /nagiosxi once again. The credentials work, and in the bottom left corner of the portal, it lists the version as "Nagios XI 5.5.6". Since the challenge description stressed the need for Metasploit, I immediately open msfconsole and run search nagiosxi 5.5.6. It returns one result: exploit/linux/http/nagios_xi_configwizards_authenticated_rce. I start setting the required options: set RHOSTS <ip> and then notice that it has TARGET_CVE CVE-2021-25296 set.

Although this may have worked, this wasn't the CVE that the challenge was asking for. With some more research, it turned out to be CVE-2019-15949. Searching Metsaploit again I came to exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce.

I set the RHOSTS, USERNAME, and PASSWORD options and ran the exploit, giving me a shell.

User.txt

cat /home/galand/user.txt

Root.txt

Dropping into a shell by running shell , and then whoami, I found that the exploit has already given us root access so we don't need to perform any privilege escalation. I find /root/root.txt and finish the challenge.

Closing Thoughts

  • I wasted a lot of time during enumeration because I overlooked the glaringly out-of-place hint with the elements at the beginning. Especially in a CTF environment, I need to give these a little more attention before writing them off as a distraction. Fairly straightforward after that.