Monitored - Hack The Box | Exploit & Evolve

Enumeration

Nmap

Initial nmap scan revealed SSH, HTTP, HTTPS, LDAP ports were open. I did some enumeration and could not find any useful information from them at first. So later I did UDP enumeration and found that SNMP was open.

00 - nmaps

WEB Enumeration

Website was nagios xi running on HTTPS port. I brute forced the nagiosadmin account but could not find the password.

01 - nagios xi

SNMP Enumeration Setup

Later I did SNMP Enumeartion with the tool called SNMP Walk. While I was doing this I did not know the tool called snmpbulkwalk and I did not know that we could show the names of the snmp packets. So before moving on I will explain how to set your attacker machine for better SNMP Enumeration.

Uncomment the below line in /etc/snmp/snmp.conf

mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf

Download snmp-mibs-downloader (and snmpbulkwalk if not installed)
```
sudo apt install snmp-mibs-downloader
```

Run snmpbulkwalk

snmpbulkwalk -c public -v2c 10.129.230.96 -m all

Below screen shots explain this process:

02 - 0 snmp

02 - 1 snmp

02 - 2 snmp names

SNMP Enumeration

I ran snmpwalk against the target to gather public strings and saved the output to a file. Then grepping the file with “ STRING:” revealed a command that reveales cleartext password of the svc user.

02 - running snmp walk

Later I tried to login to SSH and it did not work. Then tried to login Nagios page, which did not work but gave another error.

03 - snmpwalk

API Enumeration

From there, I did not know what to do so I checked the guideline from the HackTheBox and found out service accounts use APIs to authenticate. So I checked Nagios Xi API login and foun this forum post, which shows the below format:

curl -XPOST -k -L 'http://YOURXISERVER/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=nagiosadmin&password=YOURPASS&valid_min=5'

This will return a token valid for 5 minutes, which can be used to access the dashboard. Below pictures show the process.

04 - token

05 -logged in with the token

Exploitation

CVE-2023-40931

The version of the nagios was vulnerable to authenticated SQL Injection. So I found a PoC script, which automatically dumps the database.

06 - sqli poc run

The output included xi_users table, which included nagiosadmin API-KEY and hashed password. I could not crack the password but checking the internet revealed that I could use API key to create a new admin user.

Create Admin User via API

This forum post, showed that we can create a user using API keys using below comamand:

curl -s -XPOST "https://XXXXXXXXXXXXX/nagiosfusion/api/v1/system/user?apikey=XXXXXXXXXXXXXXXXXXXXXXXX&pretty=1" -d 'username=XXXXX&password=XXXXX&name=XXXXX&email=XXXXX&auth_level=admin'

Executed the command to add new admin user.

07 - use api key to create user

Then logged in as that user.

RCE

As an admin user, I can run commands on remote machines as health check process. So at first I opened the Configure > Core Config Manager > Commands and created a new check command which runs reverse bash shell.

08 - create command

Then from the Configure > Core Config Manager > Hosts page, I selected localhost and then selected the check command that I created and ran it while listening with netcat which led me to user flag.

09 - host management

Privilege Escalation

sudo -l

The sudo -l command revealed that I could run many nagios commands as root.

10 - sudo l

From there I did not know what to do. So I watched ippsec and read the 0xdf blog :D

There are 2 ways to exploit and get the root.

First way - manage_services.sh (Abusing Excessive Permissions over Service Binaries)

The manage_services.sh file runs commands on some of the services. We could see that by checking the file:

11 - services

So I can call these services as root. From there, what I could do is I could check which service binaries I have write access to and update them to add SUID bit to /bin/bash. I used one-liner from 0xdf to check service permissions:

for service in "postgresql" "httpd" "mysqld" "nagios" "ndo2db" "npcd" "snmptt" "ntpd" "crond" "shellinaboxd" "snmptrapd" "php-fpm"; do find /etc/systemd/ -name "$service.service"; done | while read service_file; do ls -l $(cat "$service_file" | grep Exec | cut -d= -f 2 | cut -d' ' -f 1); done | sort -u

This simply loops through all services that was mentioned on manage_services.sh, Finds /etc/systemd/…..service paths which includes service binary locations. And greps the binary locations and run ls -l on them.

Running the command revealed I got write permission over npcd and nagios.

12 - service permissions

So I simply updated npcd binary to add SUID bit to /bin/bash and got the root shell.

13 - root

Second way - getprofile.sh (Abusing Symbolic Links)

At first I analyzed the file to understand what it does. It get and id as input, then reads many files and saves them inside the profile folder, and finally zips them.

Again I did not know what to do at first. After watching ippsec I understood. We can check all files which are read and find a file which we have permissions over. Then create a symbolic link over that file to a file that we do not have access such as /root/root.txt or /root/.sh/id_rsa files.

With this information in mind, I checked all files that are read, all files were in /var/log but one of them was inside nagios folder which our user had access. So simply created a symbolic link from this file to root id_rsa file, then ran the script as root.

14 - 2nd way symlinc

Then unzipped the output and got the id_rsa file.

15 - unzipping

16 - id_rsa

Finally, logged in as root via SSH.

17 - root

Pwned

The machine was fully compromised.

pwned

Build - Hack The Box

Help - Hack The Box