Friday, December 13, 2024
Latest:
NETWORK ADMINISTRATIONSsnmp

HackTheBox – Monitored

00:00 – Introduction
01:00 – Start of nmap
02:40 – Examining the webpage, not finding much
05:30 – Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data
08:20 – The process list is in SNMP, explaining how to read this data
12:40 – Grepping interesting processes discovering there’s a bash script that has user credentials in arguments! Attempting to log into Nagios with it
14:00 – The SVC Account couldn’t log in on the GUI, Looking for how to login via an API
15:45 – Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection
17:40 – Manually exploiting this Error Based SQL Injection with XPATH
26:45 – Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily
33:40 – The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests
35:45 – Finding a way to register a new user with our API KEY and make them an administrator
39:00 – Creating a Nagios Check to send us a shell
41:20 – Showing how to perform the SQL Injection through SQLMap
49:00 – Finding the MySQL Password of Nagios
51:00 – Discovering the Nagios user has a bunch of sudo rules
57:00 – (Root method 1) Exploiting GetProfile through creating a SymLink
59:00 – (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell

source

by IppSec

simple network management protocol

You May Also Like

Port forwarding to local ip is not working in windows server 2019

How to auto mount iscsi target disk in Centos 7 ,Redhat 7 (automounting)

Smtp version con metasploit – kali linux

15 thoughts on “HackTheBox – Monitored

  • As someone preparing for OSCP in less than 2 weeks my heart was full when you said lets just do it manually. Thank you ❤

  • You can add –top-ports 10 is much faster than normal udp scan

  • 'we are not known for taking notes here' – Ippsec, 2024

  • How are you executing sudo -l without being prompted to put in the password?

    zero and one, like that

  • 45:58 there's a `-hh` for a more verbose help on sqlmap. That likely hides your `–force-ssl` flag.

  • 46:04 you can find the option of -forece-ssl using sqlmap itself by running : sqlmap -hh

  • What is your device setup like @IppSec? Is it like bare metal ubuntu and all the security stuff you do is on VM's or some other kind of setup? Thank you in advance!

  • I'm not understanding why you've used SNMP but nmap didn't show it 😮

  • Always love your videos, well explained❤️❤, love from Bharat🇮🇳❤❤

Comments are closed.