Zipper

Hi. I was able to guess a username and password, but when I try to log in I see the following message: “GUI access disabled.”.

Can anybody tell me how to bypass this? Thanks!!

GUI isnt the only way to access that.

Any hint for privilege escalation, I’m stuck… I’ve already have a reverse shell :cold_sweat:

I am confused for the MSF module Zabbix as its saying "Unexpected HTTP body (is this really Zabbix?

The Rapid7 code says its looking for a 200 return code, which I can see the server returning in my PCAP.

Initially tried a list of generated user/pass combinations of ~150, and then a list closer to 2000 based on all the view-able content in the pages (and what the starting creds could have been) but no dice. If the creds should be obvious I’m clearly missing something here.

EDIT: I got it - I just wasn’t paying close enough attention to results.

Box was okay i guess; For the starting foothold don’t start using hydra or anything related to cracking any login portal, everything can be guessed over and the exploitation for the reverse shell is easy as it can gets. For the root part well it was a common easy root part user was a lot harder to achieve. TIPS : Take a look as a guest user the hostname and the services you can guess the logins, and use searchsploit zabbix to locate the needed exploit for the reverse. The only think that i disliked was the cron job killing the sessions every now and then.

Got User without using the Exploit, so it looks like there are different Paths.
EDIT: Rooted, great Box even i think there must be better ways then i did it.

■■■ it took me ages to find the foothold, seems like my default approach to discovery sucks - PM me how you guys found it.

Not really sure what to do after accessing the application as guest. I can’t seem to find any useful data to use.

hmmmm “System error occurred. Please contact Zabbix administrator.” :frowning:

Same here.

manually brute forced the user account and password. However, can’t use it to login via the web portal.

Try to use the CLI tool to login, but seems can’t get the user.txt via the CLI tool. Please give me a direction.

need help please :frowning: i dont know what to do

Anyone can give a hint on what to do after getting a reverse shell to escalate to user and get the txt?

I’m lost in the webapp while logged in as guest but I cannot seem to make the next step, either via bruteforcing/enumeration or manually. I saw interesting behaviours on A** but cannot repliate them. Can I have more info (also on PM) on where to look at this step?

Guys u dont need to bruteforce it !!! u just destroy the box every 5 minutes
just look closely the user webapp u will find what u need

if you do want to bruteforce it instead of doing it manually (even though doing it manually is easy and quick enough), create your own wordlist and use it for both fields. If you’re looking closely enough, you shouldn’t need more than 4 targeted entries…

Honestly, if you look closely enough, you’ll know it when you see it. You’ll see it and think, “hmm, that’s weird, looks like the creator of the box made a spelling error…”

Well he didn’t, it’s there intentionally, just like guest access is. Hope this helps, please remove if it’s too much of a spoiler.

Managed to root it, reminds me a lot of Sufferance from the OSCP lab.

@hermajordoctor said:
Managed to root it, reminds me a lot of Sufferance from the OSCP lab.

I didn’t complete that box in the OSCP lab…@@

@hermajordoctor said:
Managed to root it, reminds me a lot of Sufferance from the OSCP lab.

thank you for saying that. As someone to start oscp in few days it’s quite encouraging actually. especially that I was under impression that sufferance is one of the 4 hardest boxes there (dunno where I got that from tbh, is that right though ?)