April 8, 2024 | by Stefano Lanaro |
Introduction
This was an intermediate Linux machine that required to identify a set of credentials hidden within an image file using the Piet programming language and exploiting a known remote code execution vulnerability in Nagios XI to escalate privileges to root.
Enumeration
The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:
- -sC to run default scripts
- -sV to enumerate applications versions
The scan has identified a few open ports: port 22 (SSH), port 25 (SMTP), port 80 (HTTP), port 389 (LDAP) and port 443 (HTTPS). The next step will be to start enumerating the web server present on the machine.
Enumerating HTTP
The web server’s home page mentions elements and it is a number of what may be chemical elements:
When looking a the source code, it mentions a directory, nagiosxi:
There indeed seems to be a Nagios XI portal:
Did some research on default credentials used by this web applications, although unfortunately these did not seem to work.
Since the site mentioned elements, when visiting a periodic table and looking for the elements from the home page, their numbers combined are: 4780735184468078103
When decoding each one from ASCII to text, the result appears to be PI3T.PNg:
When navigating to the file, the following image is displayed:
Finding Hidden Credentials
Downloading the file and inspecting it using strings:
Using ExifTool to view metadata stored in the image:
This initial investigation has not come back with any meaningful results. As mentioned in the TryHackMe room, the file may need to be opened in gimp and exported to PPM format for the next step to work.
Upon doing some research on Piet based on the file name, Piet Mondrian is a Dutch artist best known for his abstract paintings, based on his art, a programming language was made. More info can be found here.
NPiet is an interpreter for Piet programs and it takes a portablepixmap image (a ppm file) as input. The following link can be used to upload piet images and execute the code within them: https://www.bertnase.de/npiet/npiet-execute.php.
Uploading the image found earlier on the site and executing the code contained within it:
A username and password are revealed upon execution:
Logging into Nagios XI with the credentials found above:
Nagios XI appears to be running version 5.5.6:
This particular version appears to be affected by a remote code execution vulnerability, which can be found when checking known CVEs for the software and sorting by CVSS score ascending. CVE-2019-15949 seems to match the current version, as it affects Nagios XI prior to 5.6.6:
Exploiting NagiosXI Remote Command Execution
There appears to be a Metasploit module that can be used to exploit this vulnerability:
Selecting the exploit:
Setting the following exploit options and running it:
- PASSWORD , to specify the NagiosXI password
- RHOST to specify the target host IP address
- LHOST to specify the localhost IP address to connect to
- LPORT to specify the local port to connect to
This has returned a root-level shell in the box.
Conclusion
This definitely wasn’t one of my favourite boxes as it was very CTF-like, however I still learned something new about an esoteric programming language.