In this writeup we will work with the API of the Nagios XI monitoring system, exploit SQL injection, create our own user and abuse the admin's capabilities to gain access to the operating system. Then, in a simple way, we will increase privileges in Linux.
Our goal is to obtain superuser rights on the Monitored machine from the training site Hack The Box. The difficulty level of the task is medium.
Advertisement
warning
It is recommended to connect to machines with HTB only via VPN. Do not do this from computers that contain data that is important to you, as you will end up on a shared network with other participants.
Intelligence service
Port scanning
Add the machine's IP address to /:
10.10.11.248 monitored.htb
Advertisement
And start scanning the ports.
Help: Port Scanning
Port scanning is the standard first step in any attack. It allows the attacker to know which services on the host are accepting the connection. Based on this information, the next step to obtain an entry point is selected.
The most famous scanning tool is Nmap. You can improve the results of its work using the following script:
#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^(0-9) | cut -d '/' -f 1 | tr 'n' ',' | sed s/,$//)
nmap -p$ports -A $1
It works in two stages. The first one performs a regular quick scan, the second one performs a more thorough scan using the available scripts (option -A).
Often I additionally check UDP port 161.
sudo nmap -p161 -sU 10.10.11.248
This time it was open.
In total, the scanner found six open ports:
- 22 – OpenSSH 8.4p1 service;
- 80 and 443 – Apache web server 2.4.56;
- 389 – LDAP service;
- 5667 – unknown service;
- 161 (UDP) – SNMP service.
Also in the Nmap output we notice a redirect from port 80 to the address nagios.. We also add it to /:
10.10.11.248 monitored.htb nagios.monitored.htb
Since the SNMP service is available, let's start with that.
Point of entry
SNMP is a simple network management protocol. It is used to monitor devices on a network (eg routers, switches, printers).
Two concepts should be immediately mentioned here:
- MIB (Management Information Base) – a database that stores information about all objects (parameters and settings) of the device;
- OID (Object Identifier) - numeric identifier of an object in the MIB tree.
When working with a remote system via SNMP, all requests are made by OID, which reflects the object’s position in the MIB object tree. But in order to get all the information, we first need to go through a kind of authentication by specifying the community ID. Since we don’t know it, we need to sort it out, for example, using the utility onesixtyone. We will sort through the dictionary from the set SecLists.
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt 10.10.11.248
As a result, we found only one community line – public. All system OIDs can be obtained by scanning the device, for example with the following command:
snmpwalk -v 2c -c public 10.10.11.248
