OffSec PG - Monitoring


Machine IP →

Network Scan

Nmap scan → nmap -sC -sV -Pn -p- -A -o nmap.txt

OS Detection → Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
25SMTPPostfix smtpd
80HTTPApache httpd 2.4.18 ((Ubuntu))
389LDAPOpenLDAP 2.2.X - 2.3.X
443HTTPSApache httpd 2.4.18 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php

Directories/files listed (for both http and https versions) →

  • index.php
  • javascript/
  • nagios/

Visiting the web page reveals a nagiosxi directory which has a login.


A web search for default admin credentials on nagios xi reveals nagiosadmin:PASSW0RD, however, after trial and error of easy passwords, admin was the correct password.

Searchsploit and web searches return a number of exploits for the nagios version. One of them is an authenticated RCE in the mointoring plugin upload capability.

Command used for searchsploit is as follows → searchsploit nagios, which returned many results. Spiraling down to RCE for version 5.6.5 (just above 5.6.0 and has root exploit), the full path can be received as follows → searchsploit -p php/webapps/47299.php. This gives the path and the exploit can be copied from there.

The exploit is basically a file upload where the name for the upload has an injection of commands such that it is executed in the backend. Therefore, a reverse shell can be executed on the backend, giving root access.

Setting up the exploit and calling it via the cli after setting up an ncat listener, a root shell is received. The flag of the root user can thus be read.

Privilege Escalation

User was already root, therefore, no escalation was necessary.

This post is licensed under CC BY 4.0 by the author.