Skip to content

HTB Watcher — From Zabbix CVE‑2024‑22120 to Admin/RCE and a ... #1475

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 11, 2025
Merged

HTB Watcher — From Zabbix CVE‑2024‑22120 to Admin/RCE and a ... #1475

merged 1 commit into from
Oct 11, 2025
+170 −2

Conversation

carlospolop
Copy link
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

🎯 Content Summary

Target
HTB Watcher (Linux, Ubuntu 22.04). Open ports: SSH(22), HTTP(80), Zabbix agent/server (10050/10051). Virtual hosts: watcher.vl (static Apache), zabbix.watcher.vl (Zabbix GUI).

Recon
- Full scan:
nmap -p- -vvv --min-rate 10000 10.129.214.16
- Version scan:
nmap -p 22,80,10050,10051 -sCV 10.129.214.16 → OpenSSH 8.9p1 Ubuntu 3ubuntu0.13; Apache 2.4.52 (Ubuntu). TTL 63 suggests Linux one hop away.<b...

🔧 Technical Details

Time‑based blind SQLi in Zabbix audit log (CVE‑2024‑22120): Trigger a Zabbix “Script” execution against any accessible host to force an Audit Log insert whose unsanitized clientip is exploitable for time‑based blind SQLi. Use a POC over trapper port 10051 with a guest sessionid, a valid hostid, and an allowed scriptid (e.g., 1 or 2) to brute the config.session_key and admin session_id. Forge a valid zbx_session by Base64‑encoding JSON containing sessionid and a correct sign computed with session_key; authenticate as Admin and run Scripts for RCE.

Admin cookie alternatives: Either use the Login‑as‑Admin PoC to output a ready cookie (comment its hardcoded proxy) or reset the Admin password directly in the database using the documented bcrypt for “zabbix”.

Stealing credentials via login hook: Patch /usr/share/zabbix/ind...

🤖 Agent Actions

I analyzed the blog and related technical sources and updated HackTricks with a focused vendor page covering Zabbix security and the CVE‑2024‑22120 time-based blind SQL injection chain to Admin cookie forgery and RCE, plus post-exploitation pivoting techniques.

What I added/changed:

  • Created a new page: src/network-services-pentesting/pentesting-web/zabbix.md

    • Covers:
      • Zabbix components and ports (10050/10051).
      • zbx_session cookie internals and sign generation (HMAC-SHA256 over compact JSON using config.session_key).
      • CVE‑2024‑22120 exploitation via Zabbix server port 10051 “command” request abusing the audit log clientip time-based blind SQLi:
        • Preconditions discovery: sessionid, hostid, allowed scriptid.
        • Conditional sleep queries to brute 32-hex config.session_key and Admin sessions.sessionid.
        • Forging Admin cookie and validating access.
      • RCE via Script execution as Admin, example reverse shell and TTY upgrade.
      • DB alternative to reset Admin password with documented bcrypt.
      • Credential capture via a small login hook snippet in index.php.
      • SSH port-forwarding to pivot to loopback-only services even with nologin shells; linked to the tunneling page.
      • Operational tips and references.
    • References:
      • 0xdf’s HTB Watcher blog
      • PoC toolkit repo (W01fh4cker/CVE-2024-22120-RCE)
    • HackTricks banners included at top and bottom.

  • Linked the new page in the web tech tricks list:

    • Updated src/network-services-pentesting/pentesting-web/README.md to include:
      • Zabbix under the technology list.

Why this is the right place:

  • Zabbix is a web-managed monitoring platform; HackTricks organizes vendor-specific web targets under network-services-pentesting/pentesting-web. The exploit chain spans the web UI and the Zabbix server protocol port (10051), so this fits that section’s patterns and user expectations.

Notes:

  • I preserved existing content and restored the full pentesting-web/README.md when inserting the new “Zabbix” entry to avoid truncation, ensuring no loss of prior content.
  • I did not duplicate tunneling/port forwarding content, only referenced the existing comprehensive page.

No other changes were necessary because:

  • SSH tunneling/port-forwarding already exists in HackTricks.
  • There was no existing Zabbix page; creating a dedicated page was appropriate.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/10/09/htb-watcher.html

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources / Pentesting Network / Zabbix Security (CVE-2024-22120: time-based blind SQLi to Admin cookie & RCE)".

Repository Maintenance:

  • MD Files Formatting: 897 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

@carlospolop
Copy link
Collaborator Author

merge

@carlospolop carlospolop merged commit 9a77d52 into master Oct 11, 2025
@carlospolop carlospolop deleted the update_HTB_Watcher___From_Zabbix_CVE_2024_22120_to_Admin__20251009_124104 branch October 11, 2025 23:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@carlospolop