HackTheBox - Zipper

IppSec · Beginner ·📊 Data Analytics & Business Intelligence ·7y ago
01:15 - Start of NMAP 04:10 - Signing into Zabbix as Guest 05:30 - Getting potential usernames from inside Zabbix and guessing creds 06:30 - Running Searchsploit and looking for vulnerabilties 07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds 10:15 - Modifying the "API" Script 11:15 - Showing a shortcut to skip the Container to Host Lateral Movement. 15:35 - Shell on the Container. 17:25 - Searching for Zabbix MySQL Password 18:35 - Dumping the Zabbix User Database 20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible 23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS) 29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork) 32:40 - Running LinEnum on Zabbix Host 35:15 - Examining home directories to find Zapper Creds 36:42 - Examining the "Zabbix-Service" SetUID 39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation 42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service 48:30 - Extra Content: Building a Zabbix API Client from Scratch! 48:55 - "Pseudo Terminal" Skeleton Script via Cmd module 50:00 - Adding Login Functionality 56:08 - Making the script login upon starting 57:50 - Adding functionality to dump users 01:04:00 - Adding functionality to dump groups 01:05:25 - Adding functionality to add users 01:10:45 - Adding functionality to modify users
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
 2 HackTheBox - October
HackTheBox - October
IppSec
 3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
 4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
 5 HackTheBox - Bank
HackTheBox - Bank
IppSec
 6 HackTheBox - Joker
HackTheBox - Joker
IppSec
 7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
 8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
 9 HackTheBox - Devel
HackTheBox - Devel
IppSec
 10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
 11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
 12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
 13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
 14 HackTheBox - Charon
HackTheBox - Charon
IppSec
 15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
 16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
 17 HackTheBox - Europa
HackTheBox - Europa
IppSec
 18 Introduction to tmux
Introduction to tmux
IppSec
 19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
 20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
 21 HackTheBox - Jail
HackTheBox - Jail
IppSec
 22 HackTheBox - Blue
HackTheBox - Blue
IppSec
 23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
 24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
 25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
 26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
 27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
 28 HackTheBox - Node
HackTheBox - Node
IppSec
 29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
 30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
 31 HackTheBox - Sense
HackTheBox - Sense
IppSec
 32 HackTheBox - Minion
HackTheBox - Minion
IppSec
 33 VulnHub - Sokar
VulnHub - Sokar
IppSec
 34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
 35 HackTheBox - Inception
HackTheBox - Inception
IppSec
 36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
 37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
 38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
 39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
 40 HackTheBox - Tally
HackTheBox - Tally
IppSec
 41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
 42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
 43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
 44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
 45 How To Create Empire Modules
How To Create Empire Modules
IppSec
 46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
 47 HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
 48 HackTheBox - Bart
HackTheBox - Bart
IppSec
 49 HackTheBox - Aragog
HackTheBox - Aragog
IppSec
 50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
 51 HackTheBox - Silo
HackTheBox - Silo
IppSec
 52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
 53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
 54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
 55 HackTheBox - Poison
HackTheBox - Poison
IppSec
 56 HackTheBox - Canape
HackTheBox - Canape
IppSec
 57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
 58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
 59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
 60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

Related AI Lessons

Analytics as Code in the Age of AI: From Chaos to Scalable Analytics Systems at T-Mobile
Learn how T-Mobile transformed their analytics system from chaos to scalability using Analytics as Code, and how you can apply this approach to your own organization
Medium · DevOps
Más allá del promedio: Dominando la Variabilidad en Data Science
Mastering variability in data science to go beyond averages and make more accurate predictions
Medium · Machine Learning
Más allá del promedio: Dominando la Variabilidad en Data Science
Mastering variability in data science to go beyond averages and make more accurate predictions
Medium · Data Science
7 Shocking Data Privacy Truths for 2025
Learn 7 shocking data privacy truths to avoid disaster and thrive in 2025 as a data analyst
Medium · Data Science

Chapters (26)

1:15 Start of NMAP
4:10 Signing into Zabbix as Guest
5:30 Getting potential usernames from inside Zabbix and guessing creds
6:30 Running Searchsploit and looking for vulnerabilties
7:20 Analyzing the "API" Script from SearchSploit as we have API Creds
10:15 Modifying the "API" Script
11:15 Showing a shortcut to skip the Container to Host Lateral Movement.
15:35 Shell on the Container.
17:25 Searching for Zabbix MySQL Password
18:35 Dumping the Zabbix User Database
20:00 Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is
23:30 Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)
29:53 Getting a Reverse Shell on Zabbix (use nohup to fork)
32:40 Running LinEnum on Zabbix Host
35:15 Examining home directories to find Zapper Creds
36:42 Examining the "Zabbix-Service" SetUID
39:00 PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation
42:00 PRIVESC #2: Weak permissions on Purge-Backups Service
48:30 Extra Content: Building a Zabbix API Client from Scratch!
48:55 "Pseudo Terminal" Skeleton Script via Cmd module
50:00 Adding Login Functionality
56:08 Making the script login upon starting
57:50 Adding functionality to dump users
1:04:00 Adding functionality to dump groups
1:05:25 Adding functionality to add users
1:10:45 Adding functionality to modify users
Up next
Risk Management & Insurance Fundamentals
Coursera
Watch →