Open in app

Sign in

Write

Sign in

Kiba TryHackMe Walkthrough

Musyoka Ian
6 min readAug 29, 2020

--

Hello guys back again with another walkthrough this time am going to be showing you guys how i solved kiba from TryHackMe an easy box that i would really recommend for beginners with really few steps from the initial foothold to getting root on the box. You do a port scan on the box and find that kibana is listening and looking at the kibana version[6.5.4] you find that, that specific version is vulnerable to remote code execution on the box and you find an exploit, exploit the service and get a shell on the box user done !!!!. Looking around you find that there’s a python3 binary on the users directory owned by root that has capabilities set do some magic with it and get root on the box. Though there’s an exploit For that specific version we are going to exploit it manual since it more fun and a learning opportunity. Without much say let's jump in.

As always we are going to start of with a port scan to see the services that are running on the box and and if we are lucky get a version number of a service from the nmap result indicating that the service is exploitable then do exploitation and get a shell on the box

Looking at the nmap results we see that two ports are open SSH and HTTP

Looking at the webpage we get a standard webpage nothing strange

Glancing at the source nothing really stood out. so i decided to run a gobuster but found nothing special. I had hit a dead end but the box has kibana that’s the hints we are given by tryhackme.com so i decided to go online and search for kibana default port and i found an article telling me that the default port for kibana is 5601

I decided to see if the port was open using netcat

And voila we successful connected to the port. If i had done i full port scan with nmap i could have found the port but i did only the Top 1000 ports since it’s much faster my bad :( .

I decided to open kibana using my web browser

And got a kibana instance installed. The next thing i decided to do was exactly determine the version number of kibana and i did this by going to Management tab

Looking below we see that the version of kibana running is 6.5.4

Next i went to google and try to find if it had any vulnerabilities and found a post that had a proof of concept on a remote code execution vulnerability

So i decided to read the blog post and we see that there was a poc payload given on the blog post

Am sure this code looks familiar to many of us since it’s a node code execution payload incorporated with a reverse shell

The kibana module that was vulnerable was timelion and executed the js command that we passed it

Let’s try passing our payload to timelion and intercept the request with burpsuite

Now lets send the request to repeater

Now let’s explain what the payload will be doing

Now in my local box box i did setup a tcpdump listener that will listen on inbound ICMP traffic

Then i executed the request and going back to the tcpdump listener we got a call back

Spoiler: The vulnerability is a blind command injection meaning you won’t get an output on the screen so don’t use command that are target dependent to determine whether the payload worked or not (eg. whoami or ifconfig)

Now the next step is getting a reverse shell on the box. The payload that i will use is the one down below

Since all others failed to work

I did set up a netcat listener on port 9001

Then executed the payload from burpsuite repeater tab

Going back to my netcat listener i had spawn a shell

If you don’t get a shell or callback it’s a socket problem

Try sending the second request to that socket

Sweet Going to the user’s home directory we have the user flag and we can read it

Now we can submit the flag and earn the points

Next it’s time for privilege escalation to get root on the system

For this i downloaded linpeas to the system and ran

Looking at linpeas result we see that there is a python3 binary in Kiba’s home hidden directory .hackmeplease that has capabilities enabled this configuration can be abused to escalate our privileges to root on the box

Using a simple one liner command in GTFOBins

And After we ran the command looking above we have a root shell on the box now we can read the root flag

We can submit the root flag and earn the points and the box is pretty much done

If you wanted to check only for binaries with capabilities you could use the command

getcap -r / 2>/dev/null{2>/dev/null is an addition to tell the terminal not to show us std errors on the screen}

That’s it for now guys till next time it’s goodbye for now

References:

  1. Python exploit script
  2. https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
  3. https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability

If you liked the walkthough you can clap for me down below and don’t forget to follow me for more wakthroughs

Kiba
Tryhackme
Kibana
Rce
Capabilities

--

--

Musyoka Ian
Musyoka Ian

Written by Musyoka Ian

764 Followers
5 Following

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams