 Hello, everyone. My name is John Hammond. Welcome back from the YouTube video. And we're finally back to try hack me. Take another look at some other rooms over here. So let's go ahead and hop over to my screen. I want to showcase the Nax room. So I'm going to clone copy of the room so I can put in some answers. But the description here is identified the critical security flaw in the most powerful and trusted network monitoring software on the market that allows a user authenticated execution of remote code or remote code execution. Cool. Okay, I've spun this machine up. It does say hey, take note. This machine may take a couple of minutes to boot and configure. So I've already gone ahead and created I am connected to their VPN. You can download that file in the access tab if you need to. But let's take a look here. It says first task is what hidden file did you find. So I'll move over to my terminal. I will make a directory for YouTube at Nax. And we'll head over there. I will get started with a read me because I think that is a good thing to do. I'll drag that screen down. And I will take note of what I'm working on here. August today is the 17th. I don't know if that is when this video will air. But I'm trying to get back into the backlog. So I'm just going to copy some of these. Okay, what hidden file did we find? Let's get started with our regular enumeration. I will go ahead and end map that box. I'll use tack SC for default scripts tack SV to scan for versions. And I will output that with the regular end map formatting to a file called initial in the end map directory that I just created. And we'll give it the IP address of the box. So that will go ahead and scan while we're doing that. It's safe enough to make a guess that Okay, this will probably have a web server running. So let's just open that up in our web browser. I found this page the very first time I went through this and didn't exactly know what I was looking at. It looks like kind of an ASCII art for the cicada. It says welcome to elements and there's nonsense down below. And I was like, okay, whatever, that's got to be a troll. I went on about my work. I just let's check in stupid robots.txt. That didn't seem to get me anything. So I just fired off Nikto. Go ahead and like output that out to a simple Nikto dot log in that directory. And then I'd start to run my other scans I would then run go buster. I am finally on the updated version of go buster. I know the internet can stop yelling at me for that now. Thank you. So now you'll specify go buster. With dir for directory mode to specify the URL attack you and the word list I am still working with my directory list from regular der buster in my op directory. You can throw that in and it could look for some things. Again, you could pass in tack x to use some extensions like tack x PHP or sh or text or CSS or HTML or whatever you really wanted. But now our end map scan should be done. So let's take a look at that and see what we have here. We have port 22 open so SSH port 25 open so SMTP a little bit of email maybe we could do some enumeration out of that port 80 open for HTTP. It's good thing we kind of took a look at that already also HTTPS so we could access that over a kind of a secure connection there. We also have LDAP which is kind of funky we could do some enumeration there. And that's about all that we're looking at so if we wanted to we could kick off another end map scan this time with all ports that will take a while so I will remove those tack SC and tack SV tags and I'll use an all ports over there. Looks like our go buster did find a slash JavaScript page which is peculiar we could hop on over to that. But we aren't able to get in there that gave us a 301 and a forbidden great. Nito didn't seem to have anything other than index.html and index.php interesting that found both of those we can take a look and see if they are any different. So if I go to index.html that's our current page if I go to index.php whoa it redirects me to Nagios XI is 11 Roman numerals click the link below to get started using Nagios XI check for tutorials and updates. Okay and that brings me to an actual legitimate website outside of the try hack me network. I kind of want to know if this is a real obviously it's kind of a real service this is a real technology real thing software that could be used in the world I want to see if there's a version. Okay yeah there is a Nagios XI about and that's a local link. Let's hop over to that access and see if it'll give me any other information brings me to a Nagios login. Nice viewing the source again I'm just hitting control you on my keyboard so I can kind of view the source real quick funky JavaScript a lot of stuff in there. Oh okay there's a ton of stuff now ton of Nagios links that's probably a very big thing I don't know any credentials or I could log in with that username and password username admin admin. Kind of boring kind of lame. We could start go buster in this directory now that we see this link we are in Nagios XI let's see if there is that about page. Nagios XI is that the version number itself like Nagios XI if I just simply Google that. Nagios XI is there like a known exploit or vulnerability. Yeah Nagios XI 5.56 Linux web app exploit to be going to take a little bit of time to load apparently. Oh and there's a GitHub page that will allow an attacker to leverage an RCE to escalate privileges to route privilege requires access to the server as a Nagios user is there a Nagios user. It does this all with a little exploit.sh script is that right now exploit.php running some curl commands executing things authenticating okay so it does need to have like our username and password. And that's kind of what the description to explain to us already you'd need to be authenticated oh and this is a metasploit module okay. Before 5.66 module uploads a malicious plugin to the server and then executes this plugin by just issuing a regular HTTP get request to download a profile. For all supported targets except Linux CMD interesting this module uses a command stage to write the exploit to the target. This may not work if Nagios is running in a restricted Unix environment so in that case the target must be set to a Linux CMD. Well we know we're running Linux because we could see that with our nmap scan we know we are kind of in Ubuntu, Ubuntu Linux. But because we already have a metasploit module we know we probably will get this to work because metasploit is pretty trustworthy and stable with the exploits and things that it throws. So it's going to at least by default we have to pass in username and argument but by default it will use Nagios admin. Is that a thing that we can just use? Does that have like a let me get back to the login please slash login dot PHP that's where it was. Nagios admin let's try the exact same username as a password that's fail okay. Whatever how's our enumeration going we could fire this up and move our go buster link have that actually move towards that Nagios directory. Nagios XI and then look for more things inside of that then we see images about help and that starts to funnel through okay. Nikdo didn't really get anything else and map was still doing its thing so when I was originally going through this and obviously disclaimer I have done this before this is all facade this is all act entertainment artifice. I was struggling like what the heck do I do I have no idea what to look for how do I find an initial foothold. Then I kind of went back to the very very beginning the basics of the box and I when we went to this page that index HTML I'm looking at this thing I'm like what the heck is this why is this here and I was remembering. Okay if we were like a practice war game or we're doing an exercise we're doing this to learn and there's something in this curated created exercise. It's probably there for a reason right so this welcome to elements thing I thought was kind of funky and odd and I was like these are elements these are legitimate things in the periodic table of elements and I remember and I thought like oh oh the periodic table of elements has like numbers attached to every element. I wonder if that's a funky thing trying to encode some silly secret message I have no idea okay that is not I wanted to pull up the actual image not go to the web page yeah. These numbers the the element number in the periodic table maybe that is some reference or something that we could end up using for some reason if that's just here on the page we don't know why. So we could convert all those to their numbers and I don't like to do that in a manual way because I think that's stupid and clunky I wanted to automate it right so let me show you this kind of interesting trick I pythons my weapon of choice right so that's just the first language I'll reach for when I'm trying to automate or script something there is a periodic table. Library or module that you can just simply use in Python so. Well go buster has found all this stuff still none of it was particularly useful to me it's all 301 redirects because you have to have some credentials to log in with let's just turn off go buster now let's try to work with this periodic table. I'm gonna have to use pip three because I'm using Python three because you should be using Python three because Python two is dead and off the table. So let's try to create an element parser or something dot pie I had gone ahead and just installed or had previously already installed that periodic table so I could simply import periodic table and that will load just fine I can run that script and there are no errors. If I wanted to I could check out the variables inside the periodic table and let's print them out and display them on the screen there's a lot of stuff here. The way that that works if I take a look at this page which will provide no documentation for me cool do you have a home page it's. GitHub anything something. GitHub GitHub GitHub excellent source code does it use any documentation. Yes okay docs are passing on this extensible periodic table periodic table of elements users guide basic usage. Okay so there are specific objects or variables inside of this module that will represent that element in the periodic table and you could get more in depth with this obviously this is a tool for kind of more advanced usage to do things with actual science. And important things do stuff like mass or isotopes or other interesting smart people stuff. All we care about is the element number right so is there a number thing that we could access yeah okay there is an element dot number so let's grab all of these elements there's four periodic table import elements and that will return kind of an. Iterable we could loop through that or we could do kind of an interesting introspective thing because when we're using these bars to get out the variables that's going to return a dictionary with like string values for these elements is kind of interesting right so if I were to do like. Import periodic table print vars of periodic table and now we get a string of H for hydrogen I simply have that vars of H but I could just as easily grab that object vars periodic table H and then grab the vars of it and see what properties that object has has symbol name number etc etc. So I could just do a dot number on that object rather than using vars and I will reach that via a string dot number and I could do that with what this web page offers us like AG pass in AG here. And now I have 47 which might be the number that actually corresponds to that do I still have periodic table of elements open. Image a new tab where is AG 43 43 47 47 that's what it was great so OK simple proof of concept we've got some Python code that could do this sort of thing now let's just scrape out carve out grab all of these numbers without having to do it the stupid manual way. Yeah obviously it would it would only take like whatever 30 seconds but let's we're smarter than that we're better than that. I'll just slap this into a new page in sublime text and I will replace every space hyphen with a new line I guess and then so I do that with control H to open find replace and then control enter to replace all. Then I will select all of this with control a and then I will hit control shift L to give myself multiple cursors in sublime text and this is kind of handy. I'll use the home key in the end key to kind of keep all of these cursors in a line and then I'll just put in the quotation marks and commas as needed. So I could just say elements now back in our Python code and I could slap in all of these as a list of strings. So what I could now do is do four elements or I guess for E and elements let's print out the bars of E and get that numbers now I have all of this information. Super cool. We could do that in a stupid way with some nice little list comprehension. I'll do that entry for E and elements and let's just make that data we'll call that variable data. And if I were to print that out now I have a list of these numbers but all of these could be something more interesting. They could potentially be ASCII characters. Right. So if I were to take that decimal number and take the CHR of it or get that ASCII representation. What is that issue? Oh, I need that wrapped around the end of that variable that I'm using not the end of the list. Now I have something that looks kind of interesting forward slash PI three T dot PNG. Let me join all that together and there is a slash PI three T dot PNG that might be a file or a link or reference. That's something that we could totally see actually exists or not on the web page. And in fact it does this little pie it PNG file. And looking at this. I recognize this because I played too many capture the flags but this is Pete or pie it. I always say pie it but the internet told me it was called Pete. So whatever you want to call it the world is subjective. It's an esoteric language, right? If I were to look for pie it SO lang or esoteric language. It is a computer program where all the stuff is made out of simple pictures and colors. There have to be some resources for it. Yeah, yeah, this program prints out high or this program prints out something silly and it's a smiley face. You could do a lot of cheesy things with it but that is pie it. So we have potentially a pie it program just in this image. Let's go back to our try hack me route though because it says hey what file did you find? We found this pie it dot PNG. That's what we're looking for. Who is the creator of this file? Let's download this to make a simple directory like dub dub dub or whatever. And let's W get that file. It's pretty hefty taking a little bit to download. All right now we can run file on that PNG. Let's do some other file reconnaissance. Let's check out exit tool to view that metadata. And the artist is pie it Mondrian. Okay, so cool. This is all trying to point us towards the conclusion that we already came to that this is the pie it programming language. So we could submit that. There we go. And now that we have this we would want to run this program because this is in fact a program and know it looks like an image. When I had done this, I had a little bit of issue, right? So again, because I like to do this myself, I like to automate, I like to do whatever I can to use my own local tools. I ended up using and pie it the interpreter like the program. You can see this original web page, this homepage for the tool has and pie it source code or you could download it and you could work with it. You could simply download this tar file. I'll download that. Let's W get this guy tar XZV F X to extract it all. Now I have an end pie it thing here. And this is the source code. So I would need to go ahead and configure dot slash configure and then run it. Wow, I miss typed all of that word. Okay, now I could make it with make. If you try to do this and you get an error. I think I needed to end up using like libgd libgd dev. I had to install that pseudo apt install. I don't know if you're running that but eventually you will see this end pie it program here in your directory and then you can simply run it. So dot slash end pie it it'll run the program whatever you supply. So I would dot slash end pie it and then I would try and run it on this file that we downloaded. And it would never work for me. I would get some error that hey trying to specify however many steps if I use that tacky argument that would still fail. I would get this error like okay it's not in a proper PPM format or it's not it's not running as with another image data whatever the case may be. So I was weirded out by this. I would check it out and hex at it. I would do as much as I could with it. It's in the other directory. That's why I can't tap complete it. I'm trying to use it on like their online interpreter because this this guy this person on the internet with the homepage guy who created pie it has an online interpreter that you could use. And can I get to that please. It's part of his page and I don't know where that link is. There's a try it online. That's it. There we go. And it's in YouTube nax. Dub dub dub pie it. I am not a robot at least according to the internet. And I can upload a next year and I still get this error. What the heck. So I ended up having conversations with like the author like with the person who made this room. And I messaged him and we were chatting about it the try hack me like room help channel and their discord. And he added this this message if you get an error running the tool on your downloaded image about like an unknown PPM or format. Just opened up with GIMP or another paint program and exported the PPM format and try again. I did weird things like using an older version of then pie it to see if that would work. I think I got it at one point to work but I had like a weird carved out file. I don't even know or remember what I've been using but let's use that GIMP utility obviously that he kind of recommended. And can I open this and just drag it in fire up GIMP. Pull in pie it. There we go. Okay. Now let's see if I can just file export as like a PPM. Pied dot PPM will that work. Export it as raw. Let's see if that will do it. Is there an export as working just like show show all files. Oh, okay. There are some options here PGM PNM PPM. Okay. I need to specify another format. So I'll just make it duplicate export and make it I'll use the ASCII one just as well and see what happens. So now I have pie it. PPM to one is ASCII text. That's funky. Is it like literally ASCII text? How does that work? I don't know about that. Whatever. Let's try and pie it. One three F run it with our pie it dot PPM. Okay. Now there's a ton of stuff on our screen. Does it do the same thing with pie it to. Yes, it will. Okay. So either of those in their PPM format will work just fine for us. A lot of nonsense in here. Right. So you could specify limiting the steps. This circular look to this, this is kind of a loop in Pete or pie it. Again, however you want to pronounce it. That loop is just going to be printing out this message over and over and over again. So let me limit that a little bit. There we go. Now we have Nagios admin. Okay. Seemingly as that username that we saw percent and three P blah, blah, blah, blah, blah. And then we go back to Nagios admin. Okay. This is kind of confusing, but maybe this starts and ends because of the Nagios admin. I'll take that. If you need a little bit of clarification on this, there is a hint here. Obviously we found this username Nagios admin and we also saw traces of that in the metasploit module that we were looking through. Right. What is the password that you found the hint explains that percent sign is a separator. So let me grab up to back to where we see Nagios admin again. Slap that in and said, what is the CVE number for this vulnerability? This will be in the format CVE and then its numbers. We had that open in exploit database privilege escalation. And this is the script for it. This is the other tab that has the metasploit module. So that CVE number that exploit database will give us is 2019 15949. Let's paste that in and try that out. Yep. And what I should have been doing while I've been going through all that is putting all this information into our script page. But I failed to do that. I like to do that. Just remind you, hey, that's good practice. Now that we found our vulnerability, let's go ahead and exploit it. We use our metasploit module associated with this exploit. Cool. Okay. So that's the one that we saw with exploit DB already. If you wanted to, if there wasn't a metasploit module, you could do simply searchploit Nagios XI. And that will return whatever as many possible potential. Maybe this will work exploits or kind of abuse and techniques you could use. Let's use the one that is noted though with that metasploit and I'll zoom out here. So searchploit can actually finish its sentence. Chain remote code execution, metasploit, remote code execution, remote code execution, authenticated remote code execution. And maybe that's the Ruby script that we're using. Anyway, let's fire up MSF console. See how it looks here. Gonna take a second to start up. But we could just as easily now that we have these credentials, log in. Let me go grab that password again. If you wanted to, we go to our Nagios XI, go let log in and kind of poke around Nagios admin, paste that in. Nope. I don't need that last pass. Thank you. And there's like, Hey, there's a new version. Please update. Don't have all of these actual remote code execution errors. That's funny. But there's a lot you could do in here. Obviously, this will actually give you, okay, their back end admin panel for the service and the software. But metasploits ready for us. So let's go ahead and search for Nagios. And there's a lot in here. We'll specify stuff that's Nagios, like XI. There we go. Now I can see one exploit that uses authenticated remote code execution that is relatively recent with the same CVE year as we expected. It has an excellent rank. So that's probably what we're looking for. We could use that exploit. And let's go ahead and submit that into trihack me because that is what it's asking for. What's that full path starting with exploit for this exploitation module? Let's use that. Let's mark the other one as completed because we've started up MS Huff console. Let's check out our options here. What do we need to actually provide? We will need our L host. So it needs to know how to get back to us. We could simply use or sorry, set L host to our interface ton zero. Show that options one more time. Your iPad shouldn't be necessary. Thankfully, you can see whether or not some field is required within MSF console. And obviously we need a password. We're having that nodge as admin by default, but we do need to specify a password. So we just figure that out. Let's copy that guy in. And once again, we will set password. Nice, John. Slap that in and run or exploit. Oh, and we actually need the target itself. Okay. That will just be our simple IP address for what we're looking for. Set our hosts to that target. And there we go. Run or exploit. And it'll fire it off. Starting up a handler on our IP address. It found the version. Looks like it is vulnerable. So it can upload this plugin, which successfully uploaded. And then we will wait for the plugin to request the final payload. It'll send the stage. And I remember hanging here like just for a while. It says, okay, cool. We got a meterpreter session opened. And there we go. Now we are finally all done. Now that we're in meterpreter. The first thing I like to do is like figure out where I landed or who am I acting as? Who did I land as? So I would simply get UID and I'm root. Okay. So we won. Like that's it. That's the end of the game. We own the box now because we're root. So let's hop over to the root directory knowing that we have actual permissions and privileges to do that. And let's check out that root dot text file. Nice. Done and done. Since we are root, we have owned the box so we can very easily go get that user dot text. I was reading locate user dot text. I almost called it loser dot text, which you know what? If we're root, we already are. They all are losers. Gallant gallon is the name of our user. So let's hop into his home directory. What do we got here? We have a user dot text so we can simply cat that out. And that is victory. That is the end of the game. Okay. So we showcased a couple interesting things here. I know we didn't spend all that much time diving into the internals of Nagios. In this case, we just didn't have to because, okay, there's already a known in public and openly out there in the world vulnerability that will just offer you remote code execution seemingly as root and privest to that. So that's kind of crazy. That's kind of cool. We did a little interesting things with the periodic table of elements. We could actually retrieve that script or this for some reason, this module could be handy for you in the future and being able to carve out some elements or however many elements or whatever you want. We did an interesting thing using bars of the object. So we could actually retrieve variables and attributes and properties inside that module, treating them as strings because that's obviously how we're going to get this data in. We wouldn't be able to just like a dot AG without knowing this without a context. So that's kind of handy. That's pretty nice. And obviously a little bit of end-pilot. Obviously it'll be to Pete itself showcasing those issues and those interesting things in that tacky command and how you can convert it to a PPM format to actually work with it within the program. Okay. That's a lot of talking. This has been a long video. We're already at 30 minutes. So thank you. Thank you. Thank you so much for watching. I hope you enjoyed this video. If you did, please do press that like button, maybe leave me a comment, maybe subscribe. You know, I'm super duper grateful. It feels good to be back in the zone, hopefully to get a little bit more try hack me content. Hopefully we'll be doing some other cool, interesting stuff. But I did want to showcase this room because it had a couple of those gems with Pete and that periodic table library and Python and just some neat tricks. Alrighty. Thanks for watching, everybody. Take care. I'll see you in the next video. Love you.