Zab Proving Grounds Write-Up

SUMMARY

This write-up covers the Zab machine from Offsec’s Proving Grounds, a Linux machine involving port-forwarding to expose an internal service before escalating privileges.

An mage.ai console was accessible on an open port and allowed direct terminal command execution, providing an initial shell. Once inside, MySQL credentials were found and used to query the database, recovering Zabbix credentials. The Zabbix web UI was only accessible internally, so a chisel tunnel was set up to port-forward the service to the attacker machine. Logging into Zabbix and abusing its script execution feature spawned a shell as the zabbix user.

Privilege escalation was achieved via a sudo rsync rule. The standard GTFOBins technique for rsync was used to execute a command as root, completing the machine.

---

PATH TO FOLLOW

1. Reconnaissance & mage.ai Console Discovery
2. Terminal Execution → Initial Shell
3. MySQL Credential Extraction → Zabbix Credentials
4. Chisel Port-Forward to Expose Zabbix UI
5. Zabbix Script Execution → Shell as zabbix
6. Sudo rsync Abuse via GTFOBins → Root

Due to OffSec’s policy on content sharing, these write-ups will provide hints only rather than full solutions.I know, boring stuff.