THM: Nax
Overpass3
Identify the critical security flaw in the most powerful and trusted network monitoring software on the market, that allows an user authenticated execute remote code execution.
This is Nax from THM. It’s medium rated and somewhat guided.
Ports
PORT STATE SERVICE
- 22/tcp open ssh
- 25/tcp open smtp
- 80/tcp open http
- 389/tcp open ldap
- 443/tcp open https
- 5667/tcp open unknown
389 is LDAP, 25 is Postfix SMTP and 5667 is unknown, but it doesn’t matter anyway.
HTTP
On the frontpage we got some ASCII art and this message:
Welcome to elements.
Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
Being a past chemistry nerd, I recognised that I could get the atomic numbers for these elements from a periodic table:
47 80 73 51 84 46 80 78 103
And sending that to CyberChef we can decode it to:
/PI3T.PNg
Sure enough, there is a PNG file called /PI3T.PNg with the artist being Piet Mondrian according to exiftool. Since Piet Mondrian was an artist who died in 1944, we can be pretty bloody sure he didn’t create this PNG; moreover it has an appearance vaguely reminiscent of his work but it’s not the same. Where does that leave us?
Well, we are after an authenticated RCE method so we need to be ‘given’ some credentials. I guessed (rightly) that this was some sort of Stego challenge, which I hate. After trying a few basic methods suitable for a PNG (strings, exiftool, foremost, binwalk) I searched for a writeup to find out what precise flavour of bs this was.
Piet
It turns out that it is piet, which is actually a programming language rather than a steganography technique per se. Anyway people were solving it at this website, but I tried it and it didn’t work. So rather than mess about with stego nonsense, I just grabbed the creds and moved on.
Later, I researched piet a little more and downloaded a python script that is supposed to be able to interpret the images. I had to install pygubu and then ran it; it threw a TypeError:
TypeError: ‘numpy.uint8’ object is not iterable
Yeah, screw piet.
Exploit
Metasploit baby! Haven’t had one of those for a while:
Okey dokey.