Zipper

No hydra is not necessary, and if you want to use it, no need for a big list but a custom one from what you can read on the webapp.

removed

@sajkox said:
I can confirm that hydra was useful for me …

FFS- this is BULLSHIT. Do not bother brute-forcing the admin - it is #POINTLESS.

I’ve seen the password and it isn’t ‘rockyou123’. Google is your friend.

@izzie said:

@sajkox said:
I can confirm that hydra was useful for me …

FFS- this is BULLSHIT. Do not bother brute-forcing the admin - it is #POINTLESS.

I’ve seen the password and it isn’t ‘rockyou123’. Google is your friend.

it is not bs - it was useful for me. You don’t need to use it if you connect the dots and try everything manually.
Nowhere in here it says to brute admin or use rockyou (quite the opposite) so where is this aggro coming from ? Just because you assumed it means something else it doesn’t make sense anymore ?
Would love to hear how google helped you - I owned it now and still can’t find anything using google that would have helped me get through the first stage - feel free to PM me saying what you mean by google friend.

Hi. I was able to guess a username and password, but when I try to log in I see the following message: “GUI access disabled.”.

Can anybody tell me how to bypass this? Thanks!!

GUI isnt the only way to access that.

Any hint for privilege escalation, I’m stuck… I’ve already have a reverse shell :cold_sweat:

I am confused for the MSF module Zabbix as its saying "Unexpected HTTP body (is this really Zabbix?

The Rapid7 code says its looking for a 200 return code, which I can see the server returning in my PCAP.

Initially tried a list of generated user/pass combinations of ~150, and then a list closer to 2000 based on all the view-able content in the pages (and what the starting creds could have been) but no dice. If the creds should be obvious I’m clearly missing something here.

EDIT: I got it - I just wasn’t paying close enough attention to results.

Box was okay i guess; For the starting foothold don’t start using hydra or anything related to cracking any login portal, everything can be guessed over and the exploitation for the reverse shell is easy as it can gets. For the root part well it was a common easy root part user was a lot harder to achieve. TIPS : Take a look as a guest user the hostname and the services you can guess the logins, and use searchsploit zabbix to locate the needed exploit for the reverse. The only think that i disliked was the cron job killing the sessions every now and then.

Got User without using the Exploit, so it looks like there are different Paths.
EDIT: Rooted, great Box even i think there must be better ways then i did it.

■■■ it took me ages to find the foothold, seems like my default approach to discovery sucks - PM me how you guys found it.

Not really sure what to do after accessing the application as guest. I can’t seem to find any useful data to use.

hmmmm “System error occurred. Please contact Zabbix administrator.” :frowning:

Same here.

manually brute forced the user account and password. However, can’t use it to login via the web portal.

Try to use the CLI tool to login, but seems can’t get the user.txt via the CLI tool. Please give me a direction.

need help please :frowning: i dont know what to do

Anyone can give a hint on what to do after getting a reverse shell to escalate to user and get the txt?

I’m lost in the webapp while logged in as guest but I cannot seem to make the next step, either via bruteforcing/enumeration or manually. I saw interesting behaviours on A** but cannot repliate them. Can I have more info (also on PM) on where to look at this step?

Guys u dont need to bruteforce it !!! u just destroy the box every 5 minutes
just look closely the user webapp u will find what u need