SNMP
Nmap UDP scan result revealed that SNMP service is running on the target port 161
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ sudo nmap -sU -sC -sV -p161 $IP
starting nmap 7.93 ( https://nmap.org ) at 2023-04-07 10:46 CEST
Nmap scan report for dms-pit.htb (10.10.10.241)
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-processes:
| 1:
| name: systemd
| path: /usr/lib/systemd/systemd
| params: --switched-root --system --deserialize 17
| 2:
| name: kthreadd
| 3:
| name: rcu_gp
| 4:
| name: rcu_par_gp
| 6:
| name: kworker/0:0H-events_highpri
| 9:
| name: mm_percpu_wq
| 10:
| name: ksoftirqd/0
| 11:
| name: rcu_sched
| 12:
| name: migration/0
| 13:
| name: watchdog/0
| 14:
| name: cpuhp/0
| 15:
| name: cpuhp/1
| 16:
| name: watchdog/1
| 17:
| name: migration/1
| 18:
| name: ksoftirqd/1
| 20:
| name: kworker/1:0H-events_highpri
| 23:
| name: kdevtmpfs
| 24:
| name: netns
| 25:
| name: kauditd
| 26:
| name: khungtaskd
| 27:
| name: oom_reaper
| 28:
| name: writeback
| 29:
| name: kcompactd0
| 30:
| name: ksmd
| 31:
| name: khugepaged
| 32:
| name: crypto
| 33:
| name: kintegrityd
| 34:
| name: kblockd
| 35:
| name: blkcg_punt_bio
| 36:
| name: tpm_dev_wq
| 37:
| name: md
| 38:
| name: edac-poller
| 39:
| name: watchdogd
| 40:
| name: kworker/0:1H-kblockd
| 61:
| name: kswapd0
| 155:
| name: kthrotld
| 156:
| name: irq/24-pciehp
| 157:
| name: irq/25-pciehp
| 158:
| name: irq/26-pciehp
| 159:
| name: irq/27-pciehp
| 160:
| name: irq/28-pciehp
| 161:
| name: irq/29-pciehp
| 162:
| name: irq/30-pciehp
| 163:
| name: irq/31-pciehp
| 164:
| name: irq/32-pciehp
| 165:
| name: irq/33-pciehp
| 166:
| name: irq/34-pciehp
| 167:
| name: irq/35-pciehp
| 168:
| name: irq/36-pciehp
| 169:
| name: irq/37-pciehp
| 170:
| name: irq/38-pciehp
| 171:
| name: irq/39-pciehp
| 172:
| name: irq/40-pciehp
| 173:
| name: irq/41-pciehp
| 174:
| name: irq/42-pciehp
| 175:
| name: irq/43-pciehp
| 176:
| name: irq/44-pciehp
| 177:
| name: irq/45-pciehp
| 178:
| name: irq/46-pciehp
| 179:
| name: irq/47-pciehp
| 180:
| name: irq/48-pciehp
| 181:
| name: irq/49-pciehp
| 182:
| name: irq/50-pciehp
| 183:
| name: irq/51-pciehp
| 184:
| name: irq/52-pciehp
| 185:
| name: irq/53-pciehp
| 186:
| name: irq/54-pciehp
| 187:
| name: irq/55-pciehp
| 188:
| name: acpi_thermal_pm
| 189:
| name: kmpath_rdacd
| 190:
| name: kaluad
| 192:
| name: ipv6_addrconf
| 193:
| name: kstrp
| 306:
| name: kworker/1:1H-xfs-log/dm-0
| 510:
| name: ata_sff
| 512:
| name: scsi_eh_0
| 513:
| name: scsi_eh_1
| 515:
| name: scsi_tmf_0
| 516:
| name: mpt_poll_0
| 517:
| name: scsi_tmf_1
| 518:
| name: scsi_eh_2
| 519:
| name: mpt/0
| 520:
| name: scsi_tmf_2
| 521:
| name: scsi_eh_3
| 523:
| name: scsi_tmf_3
| 524:
| name: scsi_eh_4
| 525:
| name: scsi_tmf_4
| 526:
| name: scsi_eh_5
| 529:
| name: scsi_tmf_5
| 531:
| name: scsi_eh_6
| 532:
| name: scsi_tmf_6
| 533:
| name: scsi_eh_7
| 535:
| name: scsi_tmf_7
| 536:
| name: scsi_eh_8
| 537:
| name: scsi_tmf_8
| 538:
| name: scsi_eh_9
| 539:
| name: scsi_tmf_9
| 540:
| name: scsi_eh_10
| 541:
| name: scsi_tmf_10
| 542:
| name: scsi_eh_11
| 544:
| name: scsi_tmf_11
| 545:
| name: scsi_eh_12
| 547:
| name: scsi_tmf_12
| 548:
| name: scsi_eh_13
| 549:
| name: scsi_tmf_13
| 550:
| name: scsi_eh_14
| 551:
| name: scsi_tmf_14
| 552:
| name: scsi_eh_15
| 553:
| name: scsi_tmf_15
| 554:
| name: scsi_eh_16
| 555:
| name: scsi_tmf_16
| 556:
| name: scsi_eh_17
| 557:
| name: scsi_tmf_17
| 558:
| name: scsi_eh_18
| 559:
| name: scsi_tmf_18
| 560:
| name: scsi_eh_19
| 561:
| name: scsi_tmf_19
| 562:
| name: scsi_eh_20
| 563:
| name: scsi_tmf_20
| 564:
| name: scsi_eh_21
| 565:
| name: scsi_tmf_21
| 566:
| name: scsi_eh_22
| 567:
| name: scsi_tmf_22
| 568:
| name: scsi_eh_23
| 569:
| name: scsi_tmf_23
| 570:
| name: scsi_eh_24
| 571:
| name: scsi_tmf_24
| 572:
| name: scsi_eh_25
| 573:
| name: scsi_tmf_25
| 574:
| name: scsi_eh_26
| 575:
| name: scsi_tmf_26
| 576:
| name: scsi_eh_27
| 577:
| name: scsi_tmf_27
| 578:
| name: scsi_eh_28
| 579:
| name: scsi_tmf_28
| 580:
| name: scsi_eh_29
| 581:
| name: scsi_tmf_29
| 582:
| name: scsi_eh_30
| 583:
| name: scsi_tmf_30
| 584:
| name: scsi_eh_31
| 585:
| name: scsi_tmf_31
| 586:
| name: scsi_eh_32
| 587:
| name: scsi_tmf_32
| 638:
| name: irq/16-vmwgfx
| 639:
| name: ttm_swap
| 640:
| name: card0-crtc0
| 641:
| name: card0-crtc1
| 642:
| name: card0-crtc2
| 643:
| name: card0-crtc3
| 644:
| name: card0-crtc4
| 645:
| name: card0-crtc5
| 646:
| name: card0-crtc6
| 647:
| name: card0-crtc7
| 684:
| name: kdmflush
| 695:
| name: kdmflush
| 720:
| name: xfsalloc
| 721:
| name: xfs_mru_cache
| 722:
| name: xfs-buf/dm-0
| 723:
| name: xfs-conv/dm-0
| 724:
| name: xfs-cil/dm-0
| 725:
| name: xfs-reclaim/dm-
| 726:
| name: xfs-eofblocks/d
| 727:
| name: xfs-log/dm-0
| 728:
| name: xfsaild/dm-0
| 824:
| name: systemd-journal
| path: /usr/lib/systemd/systemd-journald
| 858:
| name: systemd-udevd
| path: /usr/lib/systemd/systemd-udevd
| 909:
| name: kdmflush
| 922:
| name: xfs-buf/dm-2
| 923:
| name: xfs-conv/dm-2
| 924:
| name: xfs-cil/dm-2
| 925:
| name: xfs-reclaim/dm-
| 926:
| name: xfs-eofblocks/d
| 928:
| name: xfs-log/dm-2
| 935:
| name: xfsaild/dm-2
| 936:
| name: nfit
| 941:
| name: jbd2/sda1-8
| 942:
| name: ext4-rsv-conver
| 966:
| name: auditd
| path: /sbin/auditd
| 968:
| name: sedispatch
| path: /usr/sbin/sedispatch
| 1001:
| name: dbus-daemon
| path: /usr/bin/dbus-daemon
| params: --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
| 1002:
| name: sssd
| path: /usr/sbin/sssd
| params: -i --logger=files
| 1004:
| name: polkitd
| path: /usr/lib/polkit-1/polkitd
| params: --no-debug
| 1006:
| name: irqbalance
| path: /usr/sbin/irqbalance
| params: --foreground
| 1007:
| name: VGAuthService
| path: /usr/bin/VGAuthService
| params: -s
| 1008:
| name: vmtoolsd
| path: /usr/bin/vmtoolsd
| 1014:
| name: rngd
| path: /sbin/rngd
| params: -f --fill-watermark=0
| 1016:
| name: chronyd
| path: /usr/sbin/chronyd
| 1032:
| name: sssd_be
| path: /usr/libexec/sssd/sssd_be
| params: --domain implicit_files --uid 0 --gid 0 --logger=files
| 1043:
| name: sssd_nss
| path: /usr/libexec/sssd/sssd_nss
| params: --uid 0 --gid 0 --logger=files
| 1075:
| name: systemd-logind
| path: /usr/lib/systemd/systemd-logind
| 1078:
| name: firewalld
| path: /usr/libexec/platform-python
| params: -s /usr/sbin/firewalld --nofork --nopid
| 1089:
| name: NetworkManager
| path: /usr/sbin/NetworkManager
| params: --no-daemon
| 1099:
| name: sshd
| path: /usr/sbin/sshd
| params: -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128
| 1100:
| name: tuned
| path: /usr/libexec/platform-python
| params: -Es /usr/sbin/tuned -l -P
| 1132:
| name: crond
| path: /usr/sbin/crond
| params: -n
| 1139:
| name: nginx
| path: nginx: master process /usr/sbin/nginx
| 1140:
| name: nginx
| path: nginx: worker process
| 1141:
| name: nginx
| path: nginx: worker process
| 1152:
| name: agetty
| path: /sbin/agetty
| params: -o -p -- \u --noclear tty1 linux
| 1205:
| name: mysqld
| path: /usr/libexec/mysqld
| params: --basedir=/usr
| 1478:
| name: rsyslogd
| path: /usr/sbin/rsyslogd
| params: -n
| 1479:
| name: snmpd
| path: /usr/sbin/snmpd
| params: -LS0-6d -f
| 2160:
| name: cockpit-tls
| path: /usr/libexec/cockpit-tls
| 2398:
| name: kworker/0:7-events
| 6906:
| name: kworker/0:15-events
| 8280:
| name: kworker/0:17-cgroup_pidlist_destroy
| 12541:
| name: kworker/1:23-events
| 13602:
| name: kworker/1:25-events
| 17536:
| name: kworker/0:25-events
| 18642:
| name: kworker/0:26-events
| 21449:
| name: kworker/u4:1-events_unbound
| 24954:
| name: anacron
| path: /usr/sbin/anacron
| params: -s
| 25712:
| name: kworker/0:2-events
| 28025:
| name: kworker/0:3-cgroup_pidlist_destroy
| 28676:
| name: kworker/1:0-events
| 28680:
| name: kworker/1:1-events
| 28698:
| name: kworker/1:2-events
| 28702:
| name: kworker/1:3-events
| 28723:
| name: kworker/1:4-events
| 30356:
| name: kworker/1:5-events
| 30379:
| name: kworker/1:6-events
| 31352:
| name: kworker/0:0-events
| 32426:
| name: kworker/0:4-events
| 32487:
| name: kworker/1:8-events
| 33484:
| name: kworker/0:5-events
| 33513:
| name: kworker/1:9-events
| 34091:
| name: kworker/1:10-events
| 35103:
| name: kworker/0:8-events
| 35176:
| name: kworker/1:13-events
| 36883:
| name: kworker/0:10-events
| 37679:
| name: kworker/1:15-events
| 37710:
| name: kworker/1:16-events
| 37739:
| name: kworker/1:17-events
| 38786:
| name: kworker/1:18-events
| 38805:
| name: kworker/0:11-events
| 38843:
| name: kworker/1:19-events
| 41934:
| name: kworker/1:20-events
| 41947:
| name: kworker/0:16-cgroup_pidlist_destroy
| 43883:
| name: kworker/1:24-events
| 43935:
| name: kworker/1:26-events
| 43967:
| name: kworker/u4:0-flush-253:0
| 44799:
| name: kworker/0:18-events
| 45871:
| name: kworker/0:19-events
| 47732:
| name: kworker/0:20-events
| 47762:
| name: kworker/1:7-events
| 50547:
| name: kworker/1:11-events
| 51252:
| name: php-fpm
| path: php-fpm: master process (/etc/php-fpm.conf)
| 51253:
| name: php-fpm
| path: php-fpm: pool www
| 51254:
| name: php-fpm
| path: php-fpm: pool www
| 51255:
| name: php-fpm
| path: php-fpm: pool www
| 51256:
| name: php-fpm
| path: php-fpm: pool www
| 51257:
| name: php-fpm
| path: php-fpm: pool www
| 51268:
| name: php-fpm
| path: php-fpm: pool www
| 51528:
| name: php-fpm
| path: php-fpm: pool www
| 51530:
| name: php-fpm
| path: php-fpm: pool www
| 51590:
| name: php-fpm
| path: php-fpm: pool www
| 51592:
| name: php-fpm
| path: php-fpm: pool www
| 52500:
| name: php-fpm
| path: php-fpm: pool www
| 52549:
| name: kworker/1:12-events
| 52586:
|_ name: cockpit-ws
| snmp-info:
| enterprise: net-snmp
| engineidformat: unknown
| engineiddata: 4ca7e41263c5985e00000000
| snmpengineboots: 76
|_ snmpenginetime: 1h45m12s
| snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
|_ system uptime: 1h45m12.62s (631262 timeticks)
service info: Host: pit.htb
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 237.91 secondsPerforming an additional Nmap scan for detailed enumeration on the SNMP service
While the SNMP service appear to support both v1 and v3, I can all the processes that the target system is running.
It also shows the kernel information as well as the hostname of the target system; pit.htb
It goes into the /etc/hosts file on Kali for local DNS resolution
Community String
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ sudo nmap -sU --script snmp-brute -p161 $IP
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 11:07 CEST
Nmap scan report for dms-pit.htb (10.10.10.241)
Host is up (0.095s latency).
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ public - Valid credentials
Nmap done: 1 IP address (1 host up) scanned in 3.01 secondsThe community string is public
Nmap earlier had already performed this operation as part of the -sC flag, but I can confirm it again using the individual script
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ hydra -P /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt snmp://$IP
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-07 11:08:15
[DATA] max 16 tasks per 1 server, overall 16 tasks, 3217 login tries (l:1/p:3217), ~202 tries per task
[DATA] attacking snmp://10.10.10.241:161/
[161][snmp] host: 10.10.10.241 password: public
[STATUS] attack finished for 10.10.10.241 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-07 11:08:15Hydra can do it as well.
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt $IP/24
Scanning 256 hosts, 3219 communities
10.10.10.241 [public] Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64Another tool that I can use is onesixtyone, which is a specialized for mass SNMP scanning.
Notice the wildcard bit that I put after $IP variable
Enumeration
There are 2 notable tools when it comes to enumerating SNMP agents
the first one is snmpwalk, which is part of the net-snmp suite.
snmpwalk allows users to finely control the query. Users are able to query for a specific OID or MIB
the second one is snmp-check, which mainly focuses on general enumeration. snmp-check displays output in a much more user-friendlier manner compared to the first one.
For this operation, I will go with snmpwalk to check for details
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ snmpwalk -v 1 -c public $IP .1
snmpv2-mib::sysDescr.0 = STRING: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
snmpv2-mib::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
disman-event-mib::sysUpTimeInstance = Timeticks: (1268207) 3:31:22.07
snmpv2-mib::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
snmpv2-mib::sysName.0 = STRING: pit.htb
snmpv2-mib::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
snmpv2-mib::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
snmpv2-mib::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
snmpv2-mib::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
snmpv2-mib::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
snmpv2-mib::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
snmpv2-mib::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
snmpv2-mib::sysORID.6 = OID: TCP-MIB::tcpMIB
snmpv2-mib::sysORID.7 = OID: IP-MIB::ip
snmpv2-mib::sysORID.8 = OID: UDP-MIB::udpMIB
snmpv2-mib::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
snmpv2-mib::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
snmpv2-mib::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
snmpv2-mib::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
snmpv2-mib::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
snmpv2-mib::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
snmpv2-mib::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
snmpv2-mib::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
snmpv2-mib::sysORDescr.7 = STRING: The MIB module for managing IP and ICMP implementations
snmpv2-mib::sysORDescr.8 = STRING: The MIB module for managing UDP implementations
snmpv2-mib::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
snmpv2-mib::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
snmpv2-mib::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
host-resources-mib::hrSystemUptime.0 = Timeticks: (1272740) 3:32:07.40
host-resources-mib::hrSWRunIndex.1 = INTEGER: 1
host-resources-mib::hrSWRunName.1 = STRING: "systemd"
host-resources-mib::hrSWRunName.2 = STRING: "kthreadd"
host-resources-mib::hrSWRunName.3 = STRING: "rcu_gp"
host-resources-mib::hrSWRunName.4 = STRING: "rcu_par_gp"
host-resources-mib::hrSWRunName.6 = STRING: "kworker/0:0H-events_highpri"
host-resources-mib::hrSWRunName.9 = STRING: "mm_percpu_wq"
host-resources-mib::hrSWRunName.10 = STRING: "ksoftirqd/0"
host-resources-mib::hrSWRunName.11 = STRING: "rcu_sched"
host-resources-mib::hrSWRunName.12 = STRING: "migration/0"
host-resources-mib::hrSWRunName.13 = STRING: "watchdog/0"
host-resources-mib::hrSWRunName.14 = STRING: "cpuhp/0"
host-resources-mib::hrSWRunName.15 = STRING: "cpuhp/1"
host-resources-mib::hrSWRunName.16 = STRING: "watchdog/1"
host-resources-mib::hrSWRunName.17 = STRING: "migration/1"
host-resources-mib::hrSWRunName.18 = STRING: "ksoftirqd/1"
host-resources-mib::hrSWRunName.20 = STRING: "kworker/1:0H-events_highpri"
host-resources-mib::hrSWRunName.23 = STRING: "kdevtmpfs"
host-resources-mib::hrSWRunName.24 = STRING: "netns"
host-resources-mib::hrSWRunName.25 = STRING: "kauditd"
host-resources-mib::hrSWRunName.26 = STRING: "khungtaskd"
host-resources-mib::hrSWRunName.27 = STRING: "oom_reaper"
host-resources-mib::hrSWRunName.28 = STRING: "writeback"
host-resources-mib::hrSWRunName.29 = STRING: "kcompactd0"
host-resources-mib::hrSWRunName.30 = STRING: "ksmd"
host-resources-mib::hrSWRunName.31 = STRING: "khugepaged"
host-resources-mib::hrSWRunName.32 = STRING: "crypto"
host-resources-mib::hrSWRunName.33 = STRING: "kintegrityd"
host-resources-mib::hrSWRunName.34 = STRING: "kblockd"
host-resources-mib::hrSWRunName.35 = STRING: "blkcg_punt_bio"
host-resources-mib::hrSWRunName.36 = STRING: "tpm_dev_wq"
host-resources-mib::hrSWRunName.37 = STRING: "md"
host-resources-mib::hrSWRunName.38 = STRING: "edac-poller"
host-resources-mib::hrSWRunName.39 = STRING: "watchdogd"
host-resources-mib::hrSWRunName.40 = STRING: "kworker/0:1H-kblockd"
host-resources-mib::hrSWRunName.61 = STRING: "kswapd0"
host-resources-mib::hrSWRunName.155 = STRING: "kthrotld"
host-resources-mib::hrSWRunName.156 = STRING: "irq/24-pciehp"
host-resources-mib::hrSWRunName.188 = STRING: "acpi_thermal_pm"
host-resources-mib::hrSWRunName.189 = STRING: "kmpath_rdacd"
host-resources-mib::hrSWRunName.190 = STRING: "kaluad"
host-resources-mib::hrSWRunName.192 = STRING: "ipv6_addrconf"
host-resources-mib::hrSWRunName.193 = STRING: "kstrp"
host-resources-mib::hrSWRunName.306 = STRING: "kworker/1:1H-kblockd"
host-resources-mib::hrSWRunName.510 = STRING: "ata_sff"
host-resources-mib::hrSWRunName.512 = STRING: "scsi_eh_0"
host-resources-mib::hrSWRunName.513 = STRING: "scsi_eh_1"
host-resources-mib::hrSWRunName.515 = STRING: "scsi_tmf_0"
host-resources-mib::hrSWRunName.516 = STRING: "mpt_poll_0"
host-resources-mib::hrSWRunName.517 = STRING: "scsi_tmf_1"
host-resources-mib::hrSWRunName.518 = STRING: "scsi_eh_2"
host-resources-mib::hrSWRunName.519 = STRING: "mpt/0"
host-resources-mib::hrSWRunName.638 = STRING: "irq/16-vmwgfx"
host-resources-mib::hrSWRunName.639 = STRING: "ttm_swap"
host-resources-mib::hrSWRunName.640 = STRING: "card0-crtc0"
host-resources-mib::hrSWRunName.641 = STRING: "card0-crtc1"
host-resources-mib::hrSWRunName.642 = STRING: "card0-crtc2"
host-resources-mib::hrSWRunName.643 = STRING: "card0-crtc3"
host-resources-mib::hrSWRunName.644 = STRING: "card0-crtc4"
host-resources-mib::hrSWRunName.645 = STRING: "card0-crtc5"
host-resources-mib::hrSWRunName.646 = STRING: "card0-crtc6"
host-resources-mib::hrSWRunName.647 = STRING: "card0-crtc7"
host-resources-mib::hrSWRunName.684 = STRING: "kdmflush"
host-resources-mib::hrSWRunName.695 = STRING: "kdmflush"
host-resources-mib::hrSWRunName.720 = STRING: "xfsalloc"
host-resources-mib::hrSWRunName.721 = STRING: "xfs_mru_cache"
host-resources-mib::hrSWRunName.722 = STRING: "xfs-buf/dm-0"
host-resources-mib::hrSWRunName.723 = STRING: "xfs-conv/dm-0"
host-resources-mib::hrSWRunName.724 = STRING: "xfs-cil/dm-0"
host-resources-mib::hrSWRunName.725 = STRING: "xfs-reclaim/dm-"
host-resources-mib::hrSWRunName.726 = STRING: "xfs-eofblocks/d"
host-resources-mib::hrSWRunName.727 = STRING: "xfs-log/dm-0"
host-resources-mib::hrSWRunName.728 = STRING: "xfsaild/dm-0"
host-resources-mib::hrSWRunName.824 = STRING: "systemd-journal"
host-resources-mib::hrSWRunName.858 = STRING: "systemd-udevd"
host-resources-mib::hrSWRunName.909 = STRING: "kdmflush"
host-resources-mib::hrSWRunName.922 = STRING: "xfs-buf/dm-2"
host-resources-mib::hrSWRunName.923 = STRING: "xfs-conv/dm-2"
host-resources-mib::hrSWRunName.924 = STRING: "xfs-cil/dm-2"
host-resources-mib::hrSWRunName.925 = STRING: "xfs-reclaim/dm-"
host-resources-mib::hrSWRunName.926 = STRING: "xfs-eofblocks/d"
host-resources-mib::hrSWRunName.928 = STRING: "xfs-log/dm-2"
host-resources-mib::hrSWRunName.935 = STRING: "xfsaild/dm-2"
host-resources-mib::hrSWRunName.936 = STRING: "nfit"
host-resources-mib::hrSWRunName.941 = STRING: "jbd2/sda1-8"
host-resources-mib::hrSWRunName.942 = STRING: "ext4-rsv-conver"
host-resources-mib::hrSWRunName.966 = STRING: "auditd"
host-resources-mib::hrSWRunName.968 = STRING: "sedispatch"
host-resources-mib::hrSWRunName.1001 = STRING: "dbus-daemon"
host-resources-mib::hrSWRunName.1002 = STRING: "sssd"
host-resources-mib::hrSWRunName.1004 = STRING: "polkitd"
host-resources-mib::hrSWRunName.1006 = STRING: "irqbalance"
host-resources-mib::hrSWRunName.1007 = STRING: "VGAuthService"
host-resources-mib::hrSWRunName.1008 = STRING: "vmtoolsd"
host-resources-mib::hrSWRunName.1014 = STRING: "rngd"
host-resources-mib::hrSWRunName.1016 = STRING: "chronyd"
host-resources-mib::hrSWRunName.1032 = STRING: "sssd_be"
host-resources-mib::hrSWRunName.1043 = STRING: "sssd_nss"
host-resources-mib::hrSWRunName.1075 = STRING: "systemd-logind"
host-resources-mib::hrSWRunName.1078 = STRING: "firewalld"
host-resources-mib::hrSWRunName.1089 = STRING: "NetworkManager"
host-resources-mib::hrSWRunName.1099 = STRING: "sshd"
host-resources-mib::hrSWRunName.1100 = STRING: "tuned"
host-resources-mib::hrSWRunName.1132 = STRING: "crond"
host-resources-mib::hrSWRunName.1139 = STRING: "nginx"
host-resources-mib::hrSWRunName.1140 = STRING: "nginx"
host-resources-mib::hrSWRunName.1141 = STRING: "nginx"
host-resources-mib::hrSWRunName.1152 = STRING: "agetty"
host-resources-mib::hrSWRunName.1205 = STRING: "mysqld"
host-resources-mib::hrSWRunName.1478 = STRING: "rsyslogd"
host-resources-mib::hrSWRunName.1479 = STRING: "snmpd"
host-resources-mib::hrSWRunName.61326 = STRING: "kworker/u4:0-xfs-cil/dm-0"
host-resources-mib::hrSWRunName.61514 = STRING: "kworker/u4:2-events_unbound"
host-resources-mib::hrSWRunName.61537 = STRING: "kworker/1:3-events"
host-resources-mib::hrSWRunName.61576 = STRING: "kworker/0:2-events_power_efficient"
host-resources-mib::hrSWRunName.61660 = STRING: "kworker/1:5-events"
host-resources-mib::hrSWRunName.61889 = STRING: "kworker/1:2-cgroup_pidlist_destroy"
host-resources-mib::hrSWRunName.61902 = STRING: "kworker/0:0-cgroup_pidlist_destroy"
host-resources-mib::hrSWRunName.61974 = STRING: "kworker/1:1-cgroup_pidlist_destroy"
host-resources-mib::hrSWRunName.61995 = STRING: "kworker/0:1-events_power_efficient"
host-resources-mib::hrSWRunName.62054 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62055 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62056 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62057 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62058 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62059 = STRING: "php-fpm"
host-resources-mib::hrSWRunName.62066 = STRING: "kworker/1:0-cgroup_pidlist_destroy"
host-resources-mib::hrSWRunID.62066 = OID: SNMPv2-SMI::zeroDotZero
host-resources-mib::hrSWRunPath.1 = STRING: "/usr/lib/systemd/systemd"
host-resources-mib::hrSWRunPath.824 = STRING: "/usr/lib/systemd/systemd-journald"
host-resources-mib::hrSWRunPath.858 = STRING: "/usr/lib/systemd/systemd-udevd"
host-resources-mib::hrSWRunPath.966 = STRING: "/sbin/auditd"
host-resources-mib::hrSWRunPath.968 = STRING: "/usr/sbin/sedispatch"
host-resources-mib::hrSWRunPath.1001 = STRING: "/usr/bin/dbus-daemon"
host-resources-mib::hrSWRunPath.1002 = STRING: "/usr/sbin/sssd"
host-resources-mib::hrSWRunPath.1004 = STRING: "/usr/lib/polkit-1/polkitd"
host-resources-mib::hrSWRunPath.1006 = STRING: "/usr/sbin/irqbalance"
host-resources-mib::hrSWRunPath.1007 = STRING: "/usr/bin/VGAuthService"
host-resources-mib::hrSWRunPath.1008 = STRING: "/usr/bin/vmtoolsd"
host-resources-mib::hrSWRunPath.1014 = STRING: "/sbin/rngd"
host-resources-mib::hrSWRunPath.1016 = STRING: "/usr/sbin/chronyd"
host-resources-mib::hrSWRunPath.1032 = STRING: "/usr/libexec/sssd/sssd_be"
host-resources-mib::hrSWRunPath.1043 = STRING: "/usr/libexec/sssd/sssd_nss"
host-resources-mib::hrSWRunPath.1075 = STRING: "/usr/lib/systemd/systemd-logind"
host-resources-mib::hrSWRunPath.1078 = STRING: "/usr/libexec/platform-python"
host-resources-mib::hrSWRunPath.1089 = STRING: "/usr/sbin/NetworkManager"
host-resources-mib::hrSWRunPath.1099 = STRING: "/usr/sbin/sshd"
host-resources-mib::hrSWRunPath.1100 = STRING: "/usr/libexec/platform-python"
host-resources-mib::hrSWRunPath.1132 = STRING: "/usr/sbin/crond"
host-resources-mib::hrSWRunPath.1139 = STRING: "nginx: master process /usr/sbin/nginx"
host-resources-mib::hrSWRunPath.1140 = STRING: "nginx: worker process"
host-resources-mib::hrSWRunPath.1141 = STRING: "nginx: worker process"
host-resources-mib::hrSWRunPath.1152 = STRING: "/sbin/agetty"
host-resources-mib::hrSWRunPath.1205 = STRING: "/usr/libexec/mysqld"
host-resources-mib::hrSWRunPath.1478 = STRING: "/usr/sbin/rsyslogd"
host-resources-mib::hrSWRunPath.1479 = STRING: "/usr/sbin/snmpd"
host-resources-mib::hrSWRunPath.62054 = STRING: "php-fpm: master process (/etc/php-fpm.conf)"
host-resources-mib::hrSWRunPath.62055 = STRING: "php-fpm: pool www"
host-resources-mib::hrSWRunPath.62056 = STRING: "php-fpm: pool www"
host-resources-mib::hrSWRunPath.62057 = STRING: "php-fpm: pool www"
host-resources-mib::hrSWRunPath.62058 = STRING: "php-fpm: pool www"
host-resources-mib::hrSWRunPath.62059 = STRING: "php-fpm: pool www"
host-resources-mib::hrSWRunParameters.1 = STRING: "--switched-root --system --deserialize 17"
host-resources-mib::hrSWRunParameters.1001 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
host-resources-mib::hrSWRunParameters.1002 = STRING: "-i --logger=files"
host-resources-mib::hrSWRunParameters.1004 = STRING: "--no-debug"
host-resources-mib::hrSWRunParameters.1006 = STRING: "--foreground"
host-resources-mib::hrSWRunParameters.1007 = STRING: "-s"
host-resources-mib::hrSWRunParameters.1014 = STRING: "-f --fill-watermark=0"
host-resources-mib::hrSWRunParameters.1032 = STRING: "--domain implicit_files --uid 0 --gid 0 --logger=files"
host-resources-mib::hrSWRunParameters.1043 = STRING: "--uid 0 --gid 0 --logger=files"
host-resources-mib::hrSWRunParameters.1078 = STRING: "-s /usr/sbin/firewalld --nofork --nopid"
host-resources-mib::hrSWRunParameters.1089 = STRING: "--no-daemon"
host-resources-mib::hrSWRunParameters.1099 = STRING: "-D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128"
host-resources-mib::hrSWRunParameters.1100 = STRING: "-Es /usr/sbin/tuned -l -P"
host-resources-mib::hrSWRunParameters.1132 = STRING: "-n"
host-resources-mib::hrSWRunParameters.1152 = STRING: "-o -p -- \\u --noclear tty1 linux"
host-resources-mib::hrSWRunParameters.1205 = STRING: "--basedir=/usr"
host-resources-mib::hrSWRunParameters.1478 = STRING: "-n"
host-resources-mib::hrSWRunParameters.1479 = STRING: "-LS0-6d -f"
[...REDACTED...]
ucd-snmp-mib::prIndex.1 = INTEGER: 1
ucd-snmp-mib::prNames.1 = STRING: nginx
ucd-snmp-mib::prMin.1 = INTEGER: 1
ucd-snmp-mib::prMax.1 = INTEGER: 0
ucd-snmp-mib::prCount.1 = INTEGER: 3
ucd-snmp-mib::prErrorFlag.1 = INTEGER: noError(0)
ucd-snmp-mib::prErrFix.1 = INTEGER: noError(0)
ucd-snmp-mib::prErrFixCmd.1 = STRING:
ucd-snmp-mib::dskIndex.1 = INTEGER: 1
ucd-snmp-mib::dskIndex.2 = INTEGER: 2
ucd-snmp-mib::dskPath.1 = STRING: /
ucd-snmp-mib::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
ucd-snmp-mib::dskDevice.1 = STRING: /dev/mapper/cl-root
ucd-snmp-mib::dskDevice.2 = STRING: /dev/mapper/cl-seeddms
ucd-snmp-mib::dskMinimum.1 = INTEGER: 10000
ucd-snmp-mib::dskMinimum.2 = INTEGER: 100000
ucd-snmp-mib::dskMinPercent.1 = INTEGER: -1
ucd-snmp-mib::dskMinPercent.2 = INTEGER: -1
ucd-snmp-mib::dskTotal.1 = INTEGER: 2611200
ucd-snmp-mib::dskTotal.2 = INTEGER: 125600
ucd-snmp-mib::dskAvail.1 = INTEGER: 371292
ucd-snmp-mib::dskAvail.2 = INTEGER: 75496
ucd-snmp-mib::dskUsed.1 = INTEGER: 2239908
ucd-snmp-mib::dskUsed.2 = INTEGER: 50104
ucd-snmp-mib::dskPercent.1 = INTEGER: 86
ucd-snmp-mib::dskPercent.2 = INTEGER: 40
ucd-snmp-mib::dskPercentNode.1 = INTEGER: 6
ucd-snmp-mib::dskPercentNode.2 = INTEGER: 4
ucd-snmp-mib::dskTotalLow.1 = Gauge32: 2611200
ucd-snmp-mib::dskTotalLow.2 = Gauge32: 125600
ucd-snmp-mib::dskTotalHigh.1 = Gauge32: 0
ucd-snmp-mib::dskTotalHigh.2 = Gauge32: 0
ucd-snmp-mib::dskAvailLow.1 = Gauge32: 371292
ucd-snmp-mib::dskAvailLow.2 = Gauge32: 75496
ucd-snmp-mib::dskAvailHigh.1 = Gauge32: 0
ucd-snmp-mib::dskAvailHigh.2 = Gauge32: 0
ucd-snmp-mib::dskUsedLow.1 = Gauge32: 2239908
ucd-snmp-mib::dskUsedLow.2 = Gauge32: 50104
ucd-snmp-mib::dskUsedHigh.1 = Gauge32: 0
ucd-snmp-mib::dskUsedHigh.2 = Gauge32: 0
ucd-snmp-mib::dskErrorFlag.1 = INTEGER: noError(0)
ucd-snmp-mib::dskErrorFlag.2 = INTEGER: error(1)
net-snmp-extend-mib::nsExtendNumEntries.0 = INTEGER: 2
net-snmp-extend-mib::nsExtendCommand."memory" = STRING: /usr/bin/free
net-snmp-extend-mib::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
net-snmp-extend-mib::nsExtendArgs."memory" = STRING:
net-snmp-extend-mib::nsExtendArgs."monitoring" = STRING:
net-snmp-extend-mib::nsExtendInput."memory" = STRING:
net-snmp-extend-mib::nsExtendInput."monitoring" = STRING:
net-snmp-extend-mib::nsExtendCacheTime."memory" = INTEGER: 5
net-snmp-extend-mib::nsExtendCacheTime."monitoring" = INTEGER: 5
net-snmp-extend-mib::nsExtendExecType."memory" = INTEGER: exec(1)
net-snmp-extend-mib::nsExtendExecType."monitoring" = INTEGER: exec(1)
net-snmp-extend-mib::nsExtendRunType."memory" = INTEGER: run-on-read(1)
net-snmp-extend-mib::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
net-snmp-extend-mib::nsExtendStorage."memory" = INTEGER: permanent(4)
net-snmp-extend-mib::nsExtendStorage."monitoring" = INTEGER: permanent(4)
net-snmp-extend-mib::nsExtendStatus."memory" = INTEGER: active(1)
net-snmp-extend-mib::nsExtendStatus."monitoring" = INTEGER: active(1)
net-snmp-extend-mib::nsExtendOutput1Line."memory" = STRING: total used free shared buff/cache available
net-snmp-extend-mib::nsExtendOutput1Line."monitoring" = STRING: Database status
net-snmp-extend-mib::nsExtendOutputFull."memory" = STRING: total used free shared buff/cache available
mem: 4023492 349408 2990300 25148 683784 3359316
swap: 1961980 0 1961980
net-snmp-extend-mib::nsExtendOutputFull."monitoring" = STRING: Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
`SELinux` Settings
user
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
login
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *
System uptime
06:35:11 up 3:34, 0 users, load average: 0.08, 0.12, 0.17
net-snmp-extend-mib::nsExtendOutNumLines."memory" = INTEGER: 3
net-snmp-extend-mib::nsExtendOutNumLines."monitoring" = INTEGER: 27
net-snmp-extend-mib::nsExtendResult."memory" = INTEGER: 0
net-snmp-extend-mib::nsExtendResult."monitoring" = INTEGER: 0
net-snmp-extend-mib::nsExtendOutLine."memory".1 = STRING: total used free shared buff/cache available
net-snmp-extend-mib::nsExtendOutLine."memory".2 = STRING: Mem: 4023492 349408 2990300 25148 683784 3359316
net-snmp-extend-mib::nsExtendOutLine."memory".3 = STRING: Swap: 1961980 0 1961980
net-snmp-extend-mib::nsExtendOutLine."monitoring".1 = STRING: Database status
net-snmp-extend-mib::nsExtendOutLine."monitoring".2 = STRING: OK - Connection to database successful.
net-snmp-extend-mib::nsExtendOutLine."monitoring".3 = STRING: System release info
net-snmp-extend-mib::nsExtendOutLine."monitoring".4 = STRING: CentOS Linux release 8.3.2011
net-snmp-extend-mib::nsExtendOutLine."monitoring".5 = STRING: SELinux Settings
net-snmp-extend-mib::nsExtendOutLine."monitoring".6 = STRING: user
net-snmp-extend-mib::nsExtendOutLine."monitoring".7 = STRING:
net-snmp-extend-mib::nsExtendOutLine."monitoring".8 = STRING: Labeling MLS/ MLS/
net-snmp-extend-mib::nsExtendOutLine."monitoring".9 = STRING: SELinux User Prefix MCS Level MCS Range SELinux Roles
net-snmp-extend-mib::nsExtendOutLine."monitoring".10 = STRING:
net-snmp-extend-mib::nsExtendOutLine."monitoring".11 = STRING: guest_u user s0 s0 guest_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".12 = STRING: root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".13 = STRING: staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".14 = STRING: sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".15 = STRING: system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".16 = STRING: unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".17 = STRING: user_u user s0 s0 user_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".18 = STRING: xguest_u user s0 s0 xguest_r
net-snmp-extend-mib::nsExtendOutLine."monitoring".19 = STRING: login
net-snmp-extend-mib::nsExtendOutLine."monitoring".20 = STRING:
net-snmp-extend-mib::nsExtendOutLine."monitoring".21 = STRING: Login Name SELinux User MLS/MCS Range Service
net-snmp-extend-mib::nsExtendOutLine."monitoring".22 = STRING:
net-snmp-extend-mib::nsExtendOutLine."monitoring".23 = STRING: __default__ unconfined_u s0-s0:c0.c1023 *
net-snmp-extend-mib::nsExtendOutLine."monitoring".24 = STRING: michelle user_u s0 *
net-snmp-extend-mib::nsExtendOutLine."monitoring".25 = STRING: root unconfined_u s0-s0:c0.c1023 *
net-snmp-extend-mib::nsExtendOutLine."monitoring".26 = STRING: System uptime
net-snmp-extend-mib::nsExtendOutLine."monitoring".27 = STRING: 06:35:11 up 3:34, 0 users, load average: 0.08, 0.12, 0.17
End of MIBSome of the output has been redacted for better reviewing. While the output shows pretty much the same processes as the earlier Nmap scan, It also scanned the NET-SNMP-EXTEND-MIB MIB for details
the extended information shows that the target system is running centos linux release 8.3.2011 and has selinux configured
I can also see a system user, michelle, along with the root user
the oid, net-snmp-extend-mib::nsExtendCommand, shows that it’s executing /usr/bin/monitoring file
one of the oids under the ucd-snmp-mib mib has an interesting string registered to it; ucd-snmp-mib::dskPath.2
SeedDMS
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ snmpwalk -v 1 -c public $IP UCD-SNMP-MIB::dskPath.2
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddmsIt appears that there is an instance of SeedDMS at the /var/www/html/seeddms51x/seeddms directory