Web
Nmap discovered a Web server on the port 443 of the 192.168.207.136 host.
The running service is Apache httpd 2.4.18 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ curl -k -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 16:09:48 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 3245
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ curl -k -I http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 16:09:50 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ openssl s_client -showcerts -connect $IP:443 </dev/null
Connecting to 192.168.207.136
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
verify return:1
---
Certificate chain
0 s:C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
i:C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
a:PKEY: RSA, 2048 (bit); sigalg: sha1WithRSAEncryption
v:NotBefore: Sep 8 18:28:08 2020 GMT; NotAfter: Sep 6 18:28:08 2030 GMT
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJVUzES
MBAGA1UECAwJTWlubmVzb3RhMREwDwYDVQQHDAhTdC4gUGF1bDEbMBkGA1UECgwS
TmFnaW9zIEVudGVycHJpc2VzMRQwEgYDVQQLDAtEZXZlbG9wbWVudDEUMBIGA1UE
AwwLMTkyLjE2OC4xLjYwHhcNMjAwOTA4MTgyODA4WhcNMzAwOTA2MTgyODA4WjB9
MQswCQYDVQQGEwJVUzESMBAGA1UECAwJTWlubmVzb3RhMREwDwYDVQQHDAhTdC4g
UGF1bDEbMBkGA1UECgwSTmFnaW9zIEVudGVycHJpc2VzMRQwEgYDVQQLDAtEZXZl
bG9wbWVudDEUMBIGA1UEAwwLMTkyLjE2OC4xLjYwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCe4uFtqzOvsxrF7Krjw2Pz0x+2cX/9Kfw2jMhIbR0rb5Bl
BiYb8ifgtbB05ZL2EqfE8e/I5EwVp/dtHUds4bJSv2FfEE4xzXU0SRw0LK4FQ6u1
ZBB2HqTGhxCN0/rmLhf0/IriWAS6l3NOR58pJW/syaqKL4OSOvG248MndIKzwNBH
8vVGSgEKRD0qFxbqS3pCQTsejbCimqBSqAsBJMwBcOpQnfBip8EjcTWqD8mpfmMS
4tHhn8k2/7UMGWbSl1erpiZKL/1SQ/V2Z2mJBF+85x4J+Rz2ealAbVt1W+G1Cy6D
vvsK9L+RLokdPHgrzSuZGNKrJxg3nkHKwRFkZbExAgMBAAGjUDBOMB0GA1UdDgQW
BBRVunDEJGH/2XNnyJVQYllWcHHjFjAfBgNVHSMEGDAWgBRVunDEJGH/2XNnyJVQ
YllWcHHjFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQArlT8PTnzT
dz6wmMzY9/vnBMkRnvH7vuB1MfRlnTyDy4QcTpzDBgdjkvy6MYMxsQz3TTJ+OrOn
zPdp1NzEFGDDJQUhE22F1kzpJX8XedlHV5YRhdDKokwh2kKcyEsW6obOlC9przI5
MpJvndKTj69peQAxrWImjD2o70WMKcoOIlbNnbPmmsKiR6jtL6G0+3ic7jPgZRRb
WmPLzYh7GWMik7R0DWkng2x2Hq1YKNWmiGtMv3fC/w5PRpNT+/VV0NfOOJu36VB/
rilrUGlO5q0HSx2lf1QoxYDnkQZ8/nzfAzjCYj5M4WuGKzGmkB9GPDC/REfHdu8m
sMSOoeFVpu/b
-----END CERTIFICATE-----
---
Server certificate
subject=C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
issuer=C=US, ST=Minnesota, L=St. Paul, O=Nagios Enterprises, OU=Development, CN=192.168.1.6
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: rsa_pkcs1_sha256
Peer Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1655 bytes and written 1786 bytes
Verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8922F2D1FFC5920C75ED1F07FACF40799A93671A04F34D619B3912C6CF132279
Session-ID-ctx:
Master-Key: B87B7DB67A4F605FC75F080FC5C8E3EBBF085B23AA14F19483A9EA4715D92FA97E9158E365564DA3A4211F2CDF7033F7
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 58 da dc c4 ab 16 be 8b-da 3a 7f af 7b 3a c5 b9 X........:..{:..
0010 - e8 5d 8d a1 b4 a6 97 51-1d 3a c2 39 21 1d 01 96 .].....Q.:.9!...
0020 - 80 32 99 11 83 ae 85 10-9e ce 96 c2 ac ac f4 22 .2............."
0030 - 6c e1 2d 57 96 f9 20 90-95 94 6e ef 19 2e 31 b0 l.-W.. ...n...1.
0040 - 7f 9f 64 bb 76 d4 78 00-39 48 13 56 77 cb 6b 97 ..d.v.x.9H.Vw.k.
0050 - aa 8c 82 44 2d 09 63 7d-c8 f5 2a 17 9f 38 6d 76 ...D-.c}..*..8mv
0060 - a1 a2 68 0c e9 0a 18 37-22 07 a5 3d 93 fd 23 78 ..h....7"..=..#x
0070 - 41 de 36 96 9c 55 fd 9a-1c 97 bf 4f 72 ba 7c 38 A.6..U.....Or.|8
0080 - 2f 10 4f e7 5b 79 69 9e-04 ab 59 ba 77 d9 25 d8 /.O.[yi...Y.w.%.
0090 - 62 ac e3 80 7f 25 93 d1-5d d0 a4 57 da b2 7a 71 b....%..]..W..zq
00a0 - 5e 0e b3 07 13 2a dc 4c-45 9a c0 23 5a 67 52 4d ^....*.LE..#ZgRM
00b0 - 3d 68 e4 6b ba c9 2e 0d-6a 52 9b 6a e6 c4 f2 67 =h.k....jR.j...g
Start Time: 1751475399
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
---
DONE/Play/Monitoring/2-Enumeration/attachments/{76F972DE-CFD3-462A-B37F-8CF6DBCEB2D5}.png)
Webroot
It’s a Nagio XI instance.
/Play/Monitoring/2-Enumeration/attachments/Pasted-image-20250702181246.png)
Nagios is an event monitoring system that offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
Nagios XI is a proprietary interface using Nagios Core as the back-end, written and maintained by the original author, Ethan Galstad, and Nagios Enterprises. CentOS and RHEL are the currently supported operating systems. It combines Nagios Core with other technologies. Its main database and the ndoutils module that is used alongside Nagios Core use MySQL. While the front-end of Nagios Core is mainly CGI with some PHP, most of the Nagios XI front-end and back-end are written in PHP including the subsystem, event handlers, and notifications, and Python is used to create capacity planning reports and other reports. RRDtool and Highcharts are included to create customizable graphs that can be displayed in dashboards.
This appears to be mirrored on the other web server.
Authentication
/Play/Monitoring/2-Enumeration/attachments/{DB028653-9100-4AEC-A5C5-BE73271D2132}.png)
/Play/Monitoring/2-Enumeration/attachments/{8226EB78-8A2C-4F91-B73E-7A6B938C675C}.png)
Clicking into the Access Nagios XI button leads to a login page.
/Play/Monitoring/2-Enumeration/attachments/{E11E12C7-05E3-4D99-B87A-34F8DADE7B48}.png)
The default credential for console or SSH;root:nagiosxi
It also mentions that GUI/web default username is nagiosadmin
/Play/Monitoring/2-Enumeration/attachments/{6CB443EA-A215-43C1-80A7-C191AB440195}.png)
Attempting nagiosadmin:admin
/Play/Monitoring/2-Enumeration/attachments/{DBD118CD-8DA2-4B57-90A7-4986143D52C3}.png)
It worked
Version Information
/Play/Monitoring/2-Enumeration/attachments/{A924595F-6F00-4C9F-B686-7DA8EBA52831}.png)
The version information is disclosed at the footer; Nagios XI 5.6.0
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/monitoring]
└─$ searchsploit Nagios XI 5.6
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit) | linux/remote/47039.rb
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation | linux/webapps/46221.py
Nagios XI 5.6.1 - SQL injection | php/webapps/46910.txt
Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution | php/webapps/48640.txt
Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation | php/webapps/47299.php
Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE) | multiple/webapps/52138.txt
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsIt would appear that Nagios XI 5.6.0 suffers from multiple vulnerabilities, including CVE-2019-15949
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : https://192.168.207.136/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.txt [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
.htaccess.html [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
.htaccess.php [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
.htaccess [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
.htpasswd [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.txt [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.html [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.php [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 25ms]
cgi-bin/.php [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
cgi-bin/.html [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 22ms]
cgi-bin/ [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 23ms]
index.php [Status: 200, Size: 3245, Words: 786, Lines: 75, Duration: 22ms]
javascript [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 20ms]
nagios [Status: 401, Size: 463, Words: 42, Lines: 15, Duration: 19ms]
server-status [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 20ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : https://192.168.207.136/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 3245, Words: 786, Lines: 75, Duration: 25ms]
cgi-bin [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 27ms]
icons [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 64ms]
javascript [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 19ms]
nagios [Status: 401, Size: 463, Words: 42, Lines: 15, Duration: 19ms]
server-status [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1960 req/sec :: Duration: [0:01:49] :: Errors: 0 ::N/A
Fuzzing /nagio/ Endpoint
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/monitoring]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP/nagiosxi/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : https://192.168.207.136/nagiosxi/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 53ms]
images [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 20ms]
about [Status: 200, Size: 17643, Words: 3004, Lines: 298, Duration: 49ms]
help [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 75ms]
tools [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 49ms]
admin [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 49ms]
reports [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 49ms]
account [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 44ms]
includes [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 19ms]
backend [Status: 200, Size: 108, Words: 4, Lines: 5, Duration: 69ms]
db [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 19ms]
api [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 21ms]
config [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 47ms]
views [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 46ms]
terminal [Status: 200, Size: 5215, Words: 1247, Lines: 124, Duration: 115ms]
dashboards [Status: 302, Size: 27, Words: 5, Lines: 1, Duration: 101ms]
:: Progress: [207630/207630] :: Job [1/1] :: 2020 req/sec :: Duration: [0:01:53] :: Errors: 0 ::terminal
/nagiosxi/terminal/ Endpoint
/Play/Monitoring/2-Enumeration/attachments/{4B592B3C-3CDF-47BD-82F4-9B565B11E987}.png)
A shell is available at the /nagiosxi/terminal/ endpoint.