HackTheBox - Monitored

00:00 - Introduction
01:00 - Start of nmap
02:40 - Examining the webpage, not finding much
05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data
08:20 - The process list is in SNMP, explaining how to read this data
12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in arguments! Attempting to log into Nagios with it
14:00 - The SVC Account couldn't log in on the GUI, Looking for how to login via an API
15:45 - Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection
17:40 - Manually exploiting this Error Based SQL Injection with XPATH
26:45 - Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily
33:40 - The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests
35:45 - Finding a way to register a new user with our API KEY and make them an administrator
39:00 - Creating a Nagios Check to send us a shell
41:20 - Showing how to perform the SQL Injection through SQLMap
49:00 - Finding the MySQL Password of Nagios
51:00 - Discovering the Nagios user has a bunch of sudo rules
57:00 - (Root method 1) Exploiting GetProfile through creating a SymLink
59:00 - (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell

Support the originator by clicking the read the rest link below.