(Non) security monitoring systems: Zabbix
Today we will continue to understand how to behave at the first meeting with the monitoring system during the pentest. This time, old Zabbix came to visit us.
How it works here
At first glance, Zabbix may seem like a complicated monitoring system for a user who encounters him for the first time.
Over time, this monitoring system has acquired a large number of users and numerous forums will be happy to help you understand all aspects of fine-tuning this software, however, the community rarely helps to create a secure system configuration, we will talk about these weaknesses today.
We call in light
I don’t think that you will be surprised to learn that not all system administrators keep their CM versions up to date. So let's start with a simple definition of the system version (for this you can use one of these scripts 1 or 2 ). With a certain probability, you will not need to invent anything further and you can use one of the well-proven exploits in order to achieve the goal.
But I think you didn’t look under the cat to read about how to use the Metasploit modules, and now, inspired by good intentions and research surroundings, come do your work, connect to an Ethernet outlet and find a fresh, updated Zabbix. It doesn’t matter, the developers of the system thought about you and made the transfer of traffic between the host and server in unencrypted form, so if the administrator did not bother with encryption settings, it's time to remember the old arp spoofing. A detailed description of intercepting an administrator session and pinning to the web interface is described here , as well as all the necessary scripts can be studied here .
We need to go deeper
Well, you have already compromised the system, however, you know that Zabbix has the functionality of interacting with monitored agents and leaving without trying to capture the subnet would be unacceptable luxury. Unlike Nagios in Zabbix, many of our options are limited by configuration files, which are not in a hurry to provide us with the ability to keep a constant shell on the agent, but they are only weak and the updated version of our memo provides information on ways to gain a foothold in a compromised system and the necessary state of configs for successful escalation on the host, regardless of whether we are dealing with Unix or Windows.
As you already understood, the purpose of this article was once again to draw the attention of all users of monitoring systems to the problem of their security, as well as to turn their eyes to our Cheat Sheet on operating CM . The work does not end there and soon new research in this area will be presented.
Acknowledgments
I would like to thank Shodin for the work done on the study of the Zabbix monitoring system (the article of this researcher will be published on our blog in the near future), without his contribution our reminder would be much scarcer. Respect to these guys: sabotaged , ro421 .
See you soon!