“Monitoring:1” Vulnhub Machine Writeup

In this article we are going to solve vulnhub machine “Monitoring:1” which can be downloaded from here.

After running the vulnerable machine, first we need to discover it’s address. For this I will be using arp-scan tool.

Finding IP Address of the Vulnerable Machine

Highlighted one is the required IP. Now lets scan the services running on this vulnerable machine using nmap.

Nmap Scanning for Services

Now using this we can go in depth and probe these services for more details. Lets perform nmap aggressive scan on these services.

Aggressive Scan Output

As we can see there is one service running on port 80 with title Nagios XI. On visiting this web page we get to know that it is a simple web page with a simple button of “Access Nagios XI”. Checking source code gives nothing.

On clicking this blue button we are introduced with a login page.

On trying some common usernames and passwords like admin-admin, admin-password, root-root gives no access. But default nagios username(google to find default username) and entering password as “admin” gives us access. Now we have username and password for nagios XI.

Lets move to metasploit framework for exploitation.

Searching for Nagios RCE

As we can see the first exploit with excellent rank could give RCE. We need to try this exploit.

Variables to be set for exploitation
Setting up variables and running the exploit

wooohhoooo!!!!!! We can see our awesome word “meterpreter” here that means we gained access and our exploit worked successfully. Now lets get access to bash shell by running a simple line of python on shell(for other language check this).

As we can see we gained access as root user that means we can access /root directory. May be we could find our flag in /root, lets move and check /root directory.

Final flag

And here we found our flag 😉😉😉😉😉😉

This machine comes in very easy category but it is good for beginners like me because it gives you a wonderful learning that always go for low hanging fruits first. In spite of having tempting services like ssh,ldap we able to find our path through simple http web page.

An avid learner in the field of information security. A self learner and a ctf player sometimes.