Today, I’m trying something different from my normal security work. We’re going to try out being attackers in a practice hacking challenge. It’s a simple one that should make us feel more confident in our skills.
We are first going to start by running a simple network scan. I used the -sC and -sV flags.
-sC: Runs a script scan using the default set of scripts. It's useful for detecting specific vulnerabilities and additional network information without having to specify each script individually.
-sV: Attempts to determine the version of the services running on open ports. This can help identify potential vulnerabilities based on the versions of the services detected.
I noticed several services were active, but the HTTP service particularly drew my attention. Upon visiting it, I encountered a login form for Nagios XI. After a quick search, I discovered that the default credentials for the Nagios XI web interface are nagiosadmin:admin. Using this information, I successfully logged in.
We are greeted with a notice that tells us to update. when we click see details, we get more information about the current version of the NagiosXi that is running.
Since we now have the version, we simple search for publicly available exploits on github.
We found a PHP exploit. This exploit works if you have access as the ‘nagios’ user or can manage plugins through the web interface, which we can do because we found the login details. There’s a script called getprofile.sh that runs with high privileges (as root) when someone downloads a system profile from a specific URL. This script uses another program, ‘check_plugin’, that the ‘nagios’ user controls. Since we can log into Nagios XI or access the server as the ‘nagios’ user, we can change the ‘check_plugin’ program to run commands with root access and get RCE.
This was an extremely easy box but fun nonetheless.
