A cheat sheet for pentesters and researchers about exploitation well-known monitoring systems.
M'kay kiddo, you found monitoring system and now think what you can do about it, right? My advice to you, first find out the version of the system and try to log in using the default credentials.
| SSH Credentials | Database Credentials | Web Credentials | Port | |
|---|---|---|---|---|
| Zabbix <= 2.4 | root/zabbix zabbix/zabbix | root/zabbix zabbix/zabbix | Admin/zabbix admin/admin | 10050 10051 |
| Zabbix >= 3.0 | appliance/zabbix | zabbix/zabbix | Admin/zabbix Admin/Admin | 10050 10051 |
| Nagios | root/nagiosxi | -- | nagiosadmin/nagios nagiosadmin/nagiosadmin | 5666 |
| Cacti | -- | cactiuser/cactiuser | admin/admin | 80 443 8080 |
Admin has changed default passwords? Aww, maybe he forgot to update the system. Now check known vulnerabilities.
| NagiosXI | Version |
|---|---|
| NRPE RCE | 5.2.8<= |
| Chained RCE | 5.2.7<= |
| Zabbix | Version |
|---|---|
| Command Execution | 1.7.4<= |
| Cacti | Version |
|---|---|
| SQL Injection | 0.8.8g<= |
| SQL Injection | 0.8.8f |
| SQL Injection | 0.8.8f |
| SQL Injection | 0.8.8d |
| SQL Injection | 0.8.8c |
| Reflected XSS | 0.8.8b |
| SQL Injection | 0.8.8b |
| Reflected XSS | 1.1.12 |
| Reflected XSS | 1.1.13 |
| Path Traversal | 1.1.15 |
| RCE | 1.1.15 |
| Reflected XSS | 1.1.15 |
| Reflected XSS | 1.1.17 |
| Stored XSS | 1.1.17 |
| Reflected XSS | 1.1.23 |
| RCE | 1.1.27 |
| AFR+RCE | 1.1.27 |
You are successfully logged in and don't know what to do then? This topic is for you boiiii.
Spawning PHP Shell via component uploading
XSS -> RCE vector. Spawning shell via JS execution (worked on NagiosXI <= 5.4.12)