HackTheBox — Monitored

9 months ago 94

BOOK THIS SPACE FOR AD

ARTICLE AD

Machine Pwned

Hello guys, In this section i will be tackling the challenge from Hack The Box with the machine code “Monitored,” where this machine is Linux-based.

Enumeration

In the first step, we need to perform information gathering to identify open ports and determine the services running on the server. Here, I am using the Nmap tool for information gathering.

nmap -sCV -oA monitored <IP>

Nmap result:

LDAP enumeration using nmap:

SMNP Walk output, im also get user credential from this result:

iso.3.6.1.2.1.25.4.2.1.5.457 = STRING: "--config /etc/laurel/config.toml"
iso.3.6.1.2.1.25.4.2.1.5.520 = ""
iso.3.6.1.2.1.25.4.2.1.5.529 = ""
iso.3.6.1.2.1.25.4.2.1.5.560 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.562 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
iso.3.6.1.2.1.25.4.2.1.5.566 = STRING: "-n -iNONE"
iso.3.6.1.2.1.25.4.2.1.5.569 = ""
iso.3.6.1.2.1.25.4.2.1.5.570 = STRING: "-u -s -O /run/wpa_supplicant"
iso.3.6.1.2.1.25.4.2.1.5.572 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.585 = STRING: "-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB "
iso.3.6.1.2.1.25.4.2.1.5.641 = STRING: "-4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0"
iso.3.6.1.2.1.25.4.2.1.5.717 = ""
iso.3.6.1.2.1.25.4.2.1.5.718 = ""
iso.3.6.1.2.1.25.4.2.1.5.762 = STRING: "-f /usr/local/nagios/etc/pnp/npcd.cfg"
iso.3.6.1.2.1.25.4.2.1.5.769 = STRING: "-LOw -f -p /run/snmptrapd.pid"
iso.3.6.1.2.1.25.4.2.1.5.783 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.792 = STRING: "-p /var/run/ntpd.pid -g -u 108:116"
iso.3.6.1.2.1.25.4.2.1.5.799 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.811 = ""
iso.3.6.1.2.1.25.4.2.1.5.843 = STRING: "-h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d"
iso.3.6.1.2.1.25.4.2.1.5.844 = STRING: "-q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit"
iso.3.6.1.2.1.25.4.2.1.5.846 = STRING: "-q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit"
iso.3.6.1.2.1.25.4.2.1.5.871 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.882 = STRING: "-D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf"

User creds:

Username : svc | Password : XjH7VCehowpR1xZB

Vulnerability Analysis

When opening the nagios.monitored.htb page, the display will appear as follows.

Nagios landing page

The following is the default login page of Nagios XI.

Nagios XI default login page

From the above enumeration results, I have obtained credentials for the user “svc” but when attempting to log in, it appears that the user has been blocked or disabled.

Account has been disabled/blocked

Here I am trying to access the Nagios XI community forum and find a solution for the authentication issue. (Click here)

While searching for public exploits and related CVEs in Nagios XI, I came across CVE-2023–40931, where the vulnerability is exploited by injecting SQL commands into the ID parameter during a POST request to the endpoint https://nagios.monitored.htb/nagiosxi/api/v1/authenticate.

API Endpoint

Vulnerable endpoint

I am interested in trying the SQL Injection vulnerability on that endpoint using SQL Map along with the credentials I have obtained earlier. Here is the command:

Read Entire Article