KalioNix

Monitored

3 min read

Proof of Concept

10.129.230.96

Nmap

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
389/tcp  open  ldap
443/tcp  open  https
5667/tcp open  unknown
123/udp open  ntp
161/udp open  snmp

Initial Access

80포트 접속 시 https://nagios.monitored.htb로 리다이렉트 됨

┌──(kali㉿kali)-[~/Monitored]
└─$ curl http://10.129.230.96
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://nagios.monitored.htb/">here</a>.</p>
<hr>
<address>Apache/2.4.56 (Debian) Server at 10.129.230.96 Port 80</address>
</body></html>

/etc/hosts 파일 설정

┌──(kali㉿kali)-[~/Monitored]
└─$ cat /etc/hosts
127.0.0.1	localhost
127.0.1.1	kali
::1		localhost ip6-localhost ip6-loopback
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
 
10.129.230.96	monitored.htb	nagios.monitored.htb

Nagios XI 사용중인 것을 확인

┌──(kali㉿kali)-[~/Monitored]
└─$ whatweb https://nagios.monitored.htb
https://nagios.monitored.htb [200 OK] Apache[2.4.56], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.56 (Debian)], IP[10.129.230.96], JQuery[3.6.0], Script[text/javascript], Title[Nagios XI]

SNMP community string 확인

  • public
┌──(kali㉿kali)-[~/Monitored]
└─$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 10.129.230.96
Scanning 1 hosts, 3218 communities
10.129.230.96 [public] Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64
10.129.230.96 [public] Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64

SNMP 기록 확인

┌──(kali㉿kali)-[~/Monitored]
└─$ snmpbulkwalk -v2c -c public 10.129.230.96 | tee snmp
iso.3.6.1.2.1.1.1.0 = STRING: "Linux monitored 5.10.0-28-amd64 #1 SMP Debian 5.10.209-2 (2024-01-31) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (567930) 1:34:39.30
iso.3.6.1.2.1.1.4.0 = STRING: "Me <root@monitored.htb>"
iso.3.6.1.2.1.1.5.0 = STRING: "monitored"
iso.3.6.1.2.1.1.6.0 = STRING: "Sitting on the Dock of the Bay"
iso.3.6.1.2.1.1.7.0 = INTEGER: 72
iso.3.6.1.2.1.1.8.0 = Timeticks: (1747) 0:00:17.47
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
<SNIP>
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.70.97.108.108.105.110.103 = STRING: "_triggerFire"
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.70.105.114.101.100 = STRING: "_triggerFire"
iso.3.6.1.2.1.88.1.4.3.1.3.6.95.115.110.109.112.100.95.109.116.101.84.114.105.103.103.101.114.82.105.115.105.110.103 = STRING: "_triggerFire"
iso.3.6.1.2.1.92.1.1.1.0 = Gauge32: 1000
iso.3.6.1.2.1.92.1.1.2.0 = Gauge32: 1440
iso.3.6.1.2.1.92.1.2.1.0 = Counter32: 0
iso.3.6.1.2.1.92.1.2.2.0 = Counter32: 0

SNMP 기록에서 svc 계정 정보 발견

  • svc:XjH7VCehowpR1xZB
┌──(kali㉿kali)-[~/Monitored]
└─$ cat snmp | grep -i /
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-5.10.0-28-amd64 root=UUID=d8761c35-f10f-4e79-b24c-38a65ad7ce1b ro net.ifnames=0 biosdevname=0 quiet
iso.3.6.1.2.1.25.2.3.1.3.35 = STRING: "/run"
iso.3.6.1.2.1.25.2.3.1.3.36 = STRING: "/"
iso.3.6.1.2.1.25.2.3.1.3.38 = STRING: "/dev/shm"
iso.3.6.1.2.1.25.2.3.1.3.39 = STRING: "/run/lock"
iso.3.6.1.2.1.25.3.8.1.2.5 = STRING: "/run"
iso.3.6.1.2.1.25.3.8.1.2.6 = STRING: "/"
iso.3.6.1.2.1.25.3.8.1.2.8 = STRING: "/dev/shm"
iso.3.6.1.2.1.25.3.8.1.2.9 = STRING: "/run/lock"
iso.3.6.1.2.1.25.4.2.1.2.6 = STRING: "kworker/0:0H-events_highpri"
iso.3.6.1.2.1.25.4.2.1.2.11 = STRING: "ksoftirqd/0"
iso.3.6.1.2.1.25.4.2.1.2.13 = STRING: "migration/0"
iso.3.6.1.2.1.25.4.2.1.2.14 = STRING: "kworker/0:1-events"
iso.3.6.1.2.1.25.4.2.1.2.15 = STRING: "cpuhp/0"
iso.3.6.1.2.1.25.4.2.1.2.16 = STRING: "cpuhp/1"
iso.3.6.1.2.1.25.4.2.1.2.17 = STRING: "migration/1"
iso.3.6.1.2.1.25.4.2.1.2.18 = STRING: "ksoftirqd/1"
<SNIP>
iso.3.6.1.2.1.25.4.2.1.5.1401 = STRING: "-u svc /bin/bash -c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.1402 = STRING: "-c /opt/scripts/check_host.sh svc XjH7VCehowpR1xZB"
iso.3.6.1.2.1.25.4.2.1.5.7277 = STRING: "-c /usr/bin/php -q /usr/local/nagiosxi/cron/cmdsubsys.php >> /usr/local/nagiosxi/var/cmdsubsys.log 2>&1"
iso.3.6.1.2.1.25.4.2.1.5.7278 = STRING: "-q /usr/local/nagiosxi/cron/cmdsubsys.php"