How To Crack Nagios Xi
This page contains detailed information about how to use the exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
How To Crack Nagios Xi
Name: Nagios XI Chained Remote Code ExecutionModule: exploit/linux/http/nagios_xi_chained_rce_2_electric_boogalooSource code: modules/exploits/linux/http/nagios_xi_chained_rce_2_electric_boogaloo.rbDisclosure date: 2018-04-17Last modification time: 2021-02-17 12:33:59 +0000Supported architecture(s): x86Supported platform(s): LinuxTarget service / protocol: http, httpsTarget network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888List of CVEs: CVE-2018-8733, CVE-2018-8734, CVE-2018-8735, CVE-2018-8736
This module exploits a few different vulnerabilities inNagios XI 5.2.6-5.4.12 to gain remote root access. The stepsare: 1. Issue a POST request to /nagiosql/admin/settings.phpwhich sets the database user to root. 2. SQLi on/nagiosql/admin/helpedit.php allows us to enumerate APIkeys. 3. The API keys are then used to add an administrativeuser. 4. An authenticated session is established with thenewly added user 5. Command Injection on/nagiosxi/backend/index.php allows us to execute the payloadwith nopasswd sudo, giving us a root shell. 6. Remove theadded admin user and reset the database user.
After running make, we list the contents of the directory to see that we have the npiet executable ready to use. We run it bypassing the PI3T.ppm image that we exported earlier. This gave us a big output but if we look closer it repeats after printing a set of characters. This is because the color blocks around the image area in a loop that prints the same string again and again. Upon closer inspection, we found that it was a set of credentials with the username nagiosadmin.
This is where we ran the Metasploit Console on our Kali Linux, we searched for Nagios and found that it is vulnerable to a Remote Code Execution. The hint at the start of the machine also tells us that we will have to use an RCE to crack the machine. This means that we are on the right path. 350c69d7ab