Enumeration

nmap

open ports

First, I’d like to see what ports are open.

nmap -sS -p- --open 10.10.11.248 | tee nmap/nmap_open_ports_TCP

-sS for TCP SYN scan

I’d also want to run a UDP scan separately just in case.

nmap -sU -p- --open --min-rate 10000 10.10.11.248 | tee nmap/nmap_open_ports_UDP

-sU for UDP scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 11:34 +08
Nmap scan report for 10.10.11.248
Host is up (0.25s latency).
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
389/tcp  open  ldap
443/tcp  open  https
5667/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 71.41 seconds

TCP service scan

While the UDP scan runs, I parse the open TCP ports so that I only get the port numbers separated by commas.

cat nmap/nmap_open_ports_TCP | grep ' open ' | awk -F"/" '{print $1}' | paste -sd, > nmap/open_ports_TCP


And then I supply those ports in an nmap service scan.

nmap -sV -sC -p$(cat nmap/open_ports_TCP) 10.10.11.248 | tee nmap/nmap_service_scan_TCP

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
|   256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_  256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp   open  http       Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   Apache httpd 2.4.56 ((Debian))
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.56 (Debian)
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after:  2297-08-25T21:46:55
5667/tcp open  tcpwrapped
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.31 seconds

22 - ssh

KIV.

80 / 443

Nmap scan states that port 80, i.e. http://10.10.11.248, redirects to https://nagios.monitored.htb, i.e. port 443, and that it is running Nagios XI.

Apache Server version

Here, we also note the Apache HTTP Server version: 2.4.56.

389 - ldap

KIV.

5667

KIV.

UDP service scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-01 11:36 +08
Warning: 10.10.11.248 giving up on port because retransmission cap hit (10).
Nmap scan report for nagios.monitored.htb (10.10.11.248)
Host is up (0.39s latency).
Not shown: 65445 open|filtered udp ports (no-response), 88 closed udp ports (port-unreach)
PORT    STATE SERVICE
123/udp open  ntp
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 85.33 seconds

After the UDP scan is done, I run a service scan with the open UDP ports.

cat nmap/nmap_open_ports_UDP | grep ' open ' | awk -F"/" '{print $1}' | paste -sd, > nmap/open_ports_UDP

nmap -sU -sV -sC -pU:$(cat nmap/open_ports_UDP) --min-rate 10000 10.10.11.248 | tee nmap/nmap_service_scan_UDP

UDP scans take a while but we can see that there are 2 UDP ports open.

123 - ntp

KIV, in case we need to sync clocks.

PORT    STATE SERVICE VERSION
123/udp open  ntp     NTP v4 (unsynchronized)

161 - snmp

KIV.

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-interfaces:
|   lo
|     IP address: 127.0.0.1  Netmask: 255.0.0.0
|     Type: softwareLoopback  Speed: 10 Mbps
|     Traffic stats: 376.55 Kb sent, 376.55 Kb received
|   VMware VMXNET3 Ethernet Controller
|     IP address: 10.10.11.248  Netmask: 255.255.254.0
|     MAC address: 00:50:56:b0:df:a5 (VMware)
|     Type: ethernetCsmacd  Speed: 4 Gbps
|_    Traffic stats: 30.87 Mb sent, 63.88 Mb received
| snmp-info:
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 36
|_  snmpEngineTime: 55m01s
| snmp-sysdescr: Linux monitored 5.10.0-28-amd64 #1 SMP Debian 

...<truncated>...

Full Output

port 80 / 443

We almost always start looking into web ports when we see them.

Nagios XI

After adding nagios.monitored.htb (and monitored.htb just in case) to /etc/hosts file, we see the Nagios XI page.

An extensible, enterprise-level infrastructure monitoring solution with time-saving, easy-to-use features.

https://www.nagios.com/products/nagios-xi/

https://monitored.htb also shows the same page.

default credentials

I like to Google the default credentials and try them. Here it says the default SSH creds is root:nagiosxi and the web default username is nagiosadmin while the password will be set upon first access.

trying default creds

No harm trying.

The creds don’t work for the web login as well.

directory enumeration

Before I try any exploits, I wanted to continue enumerating.

ffuf

I am using 2 different wordlists just in case.

ffuf -u 'http://monitored.htb/FUZZ' -ac -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt

Nothing. Which is kinda expected since it’s not a custom software.

port 389 - ldap