Vulnhub Monitoring: 1 (with and without Metasploit)

Let’s do Vulnhub.com’s Monitoring:1. This box is rated as a Very Easy, and I would agree is a great beginner’s box. As always, we start with nmap.

nmap scan of all tcp ports
nmap scripts to determine service and version info

When I see port 80 and 443, the first thing I’ll try is to pull them up in Firefox. The homepage shows that is the Nagios XI application, which is Network Monitoring software.

I spent some time doing Gobuster scans, but didn’t find anything useful that I could access without authentication. Clicking the “Access Nagios XI” button gives us a login page.

login.php

When I find a login page, the first thing I like to do is look for default credentials. Entering “nagios default login” into google gives us the link: https://www.2daygeek.com/linux-reset-change-nagiosadmin-password-nagios-core/

We find on this page that “nagiosadmin” is the default admin user. Here is where I got a bit lucky. I went back to the login page and tried username “nagiosadmin” with the password “admin” and immediately authenticated. While it isn’t much of a leap to have this as one of the first passwords to try, those who aren’t quite as lucky guessing could put together a basic password list and use Burp Intruder to get in pretty quickly.

Once I got access to the page, I noted that the version of Nagios X was 5.6.0. Armed with this information I went to exploit-db.com and searched for nagios. The entry for “Nagios XI — Authenticated Remote Command Execution (Metasploit)” definitely piqued my interest since I already had login creds.

We fire up msfconsole and search for nagios.

metasploit

The first result looks like the one we want. We need to find out what options to set.

Set our options.

Don’t forget to set your local host and target.

Run the exploit, and boom, we get a meterpreter session and a root shell!

That was pretty straightforward, so let’s keep investigating this box. For those of us with an eye on the OSCP, it would be useful to root the box without Metasploit. You may have noted from your Google searches or the exploit-db.com entry that our RCE exploit is CVE 2019–15949, so we enter “cve 2019–15949 github” into Google and find a link: https://github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php

The site has a php exploit that takes advantage of the same RCE vulnerability as our Metasploit module. It even gives us a screenshot of how to run the exploit. We can download the exploit and attempt it on our Kali box. Don’t forget to start your Netcat listener first.

no listener, no shell…

Run the exploit.

doesn’t work the first time

Uh oh, it seems our exploit gave us an error. If we Google “php undefined function curl_init we get a link to StackOverflow.com: https://stackoverflow.com/questions/6382539/call-to-undefined-function-curl-init

The solution is as simple as installing support for that function, so we do a “sudo apt install php-curl” in Kali. Let’s try running the exploit again.

another error

We get farther, but get another php error. We follow the same process and Google “Class DOMDocument not found” and find another helpful StackOverflow.com article: https://stackoverflow.com/questions/14395239/class-domdocument-not-found

All we have to do is install php-dom with “sudo apt install php-dom”. Let’s run the exploit one more time.

It seems our second try with the exploit went far enough to create a cookie. We have to do a “rm cookie.txt” to get rid of it. One more try:

success!

That looks good! We check our listener:

pwned

And we have our root shell, this time without Metasploit! This is a great example of how just the tiniest bit of troubleshooting can get us a positive result. Thanks for reading!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store