HackTheBox - Monitored

00:00 - Introduction 01:00 - Start of nmap 02:40 - Examining the webpage, not finding much 05:30 - Checking out SNMP, discovering its open with the default community string. Installing MIBS so we can make sense of the data 08:20 - The process list is in SNMP, explaining how to read this data 12:40 - Grepping interesting processes discovering there's a bash script that has user credentials in arguments! Attempting to log into Nagios with it 14:00 - The SVC Account couldn't log in on the GUI, Looking for how to login via an API 15:45 - Logging into Nagios, discovering it is version 5.11.0 which is vulnerable to a SQL Injection 17:40 - Manually exploiting this Error Based SQL Injection with XPATH 26:45 - Using Burpsuite Intruder to dump the TABLES, then edit the columns in burpsuite to show tables easily 33:40 - The APIKEY is too long to display, using SUBSTRING to grab the APIKEY in multiple requests 35:45 - Finding a way to register a new user with our API KEY and make them an administrator 39:00 - Creating a Nagios Check to send us a shell 41:20 - Showing how to perform the SQL Injection through SQLMap 49:00 - Finding the MySQL Password of Nagios 51:00 - Discovering the Nagios user has a bunch of sudo rules 57:00 - (Root method 1) Exploiting GetProfile through creating a SymLink 59:00 - (Root method 2) Overwriting the Nagios Binary than using Sudo to restart the service to get a root shell