Cheat sheet for pentesters and researchers about monitoring systems exploitation.
Check the version of the system. Try to log in with default credentials.
| SSH Credentials | Database Credentials | Web Credentials | Port | |
|---|---|---|---|---|
| Zabbix <= 2.4 | root/zabbix zabbix/zabbix | root/zabbix zabbix/zabbix | Admin/zabbix admin/admin | 10050 10051 |
| Zabbix >= 3.0 | appliance/zabbix | zabbix/zabbix | Admin/zabbix Admin/Admin | 10050 10051 |
| Nagios | root/nagiosxi | -- | nagiosadmin/nagios nagiosadmin/nagiosadmin | 5666 |
| Cacti | -- | cactiuser/cactiuser | admin/admin | 80 443 8080 |
Known vulnerabilities.
| NagiosXI | Version |
|---|---|
| NRPE RCE | 5.2.8<= |
| Chained RCE | 5.2.7<= |
| Chained Remote Root | 5.4.12<= |
| Zabbix | Version |
|---|---|
| Command Execution | 1.7.4<= |
| Cacti | Version |
|---|---|
| SQL Injection | 0.8.8g<= |
| SQL Injection | 0.8.8f |
| SQL Injection | 0.8.8f |
| SQL Injection | 0.8.8d |
| SQL Injection | 0.8.8c |
| Reflected XSS | 0.8.8b |
| SQL Injection | 0.8.8b |
| Reflected XSS | 1.1.12 |
| Reflected XSS | 1.1.13 |
| Path Traversal | 1.1.15 |
| RCE | 1.1.15 |
| Reflected XSS | 1.1.15 |
| Reflected XSS | 1.1.17 |
| Stored XSS | 1.1.17 |
| Reflected XSS | 1.1.23 |
| RCE | 1.1.27 |
| AFR+RCE | 1.1.27 |
You are successfully logged in, what's next?
Spawning PHP Shell via component uploading
XSS -> RCE vector. Spawning shell via JS execution (worked on NagiosXI <= 5.4.12)
XSS -> RCE by polict (NagiosXI 5.5.10)
RCE on Monitored Hosts through the NRPE(<= 2.14) plugin
NagiosXI Vulnerability Chaining. Death By a Thousand Cuts (<= 5.4.12)
Stealing administrator's session and creating our own privileged account (ARP-spoofing)
Spawn shell on monitored agents (Unix/Windows)
PRTG NETWORK MONITOR PRIVILEGE ESCALATION (version 18.2.41.1652) || Exploit