kiba-TryHackMe

0xsanz
3 min readAug 29, 2020
Kiba-TryHackMe

This is a write-up for Kiba room from TryHackMe. This room can be found here:-

https://tryhackme.com/room/kiba

Room Description: Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.

#1 What is the vulnerability that is specific to programming languages with prototype-based inheritance?

Check out the following link which describes this issue in details and will also give the answer:

https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/#:~:text=Prototype%20pollution%20is%20a%20vulnerability,lacks%20practical%20examples%20of%20exploitation.

#2 What is the version of visualization dashboard installed in the server?

Lets first enumerate the box using NMAP to find out all the open ports with the command:

sudo nmap -sS -Pn -T4 -p- 10.10.125.142

nmap scan for ports

Lets find out what is running on these open ports using the command:

sudo nmap -O -A -Pn -T4 -p22,80,5044,5601 10.10.125.142

nmap scan for services

The most interesting thing that comes out of this NMAP scan is kibana running on port 5601 which is open source data visualization dashboard for Elasticsearch.

Open this in a browser and look around and we will get the version which we are looking for.

kibana webpage

#3 What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000

Now we have the application name Kibana and a version, if we search we will find the CVE. The details can also be found Answer #1

#4 Compromise the machine and locate user.txt

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204