01:15 - Start of NMAP
04:10 - Signing into Zabbix as Guest
05:30 - Getting potential usernames from inside Zabbix and guessing creds
06:30 - Running Searchsploit and looking for vulnerabilties
07:20 - Analyzing the "API" Script from SearchSploit as we have API Creds
10:15 - Modifying the "API" Script
11:15 - Showing a shortcut to skip the Container to Host Lateral Movement.
15:35 - Shell on the Container.
17:25 - Searching for Zabbix MySQL Password
18:35 - Dumping the Zabbix User Database
20:00 - Logging into Zabbix as Admin, discover ZBX Agent on Host. Testing if port is accessible
23:30 - Running commands on the Zabbix Agent (Host OS) from Zabbix Server (Guest OS)
29:53 - Getting a Reverse Shell on Zabbix (use nohup to fork)
32:40 - Running LinEnum on Zabbix Host
35:15 - Examining home directories to find Zapper Creds
36:42 - Examining the "Zabbix-Service" SetUID
39:00 - PRIVESC #1: Running ltrace to discover it is vulnerable to $PATH Manipulation
42:00 - PRIVESC #2: Weak permissions on Purge-Backups Service
48:30 - Extra Content: Building a Zabbix API Client from Scratch!
48:55 - "Pseudo Terminal" Skeleton Script via Cmd module
50:00 - Adding Login Functionality
56:08 - Making the script login upon starting
57:50 - Adding functionality to dump users
01:04:00 - Adding functionality to dump groups
01:05:25 - Adding functionality to add users
01:10:45 - Adding functionality to modify users