Kiba TryHackMe Walkthrough
Hello guys back again with another walkthrough this time am going to be showing you guys how i solved kiba from TryHackMe an easy box that i would really recommend for beginners with really few steps from the initial foothold to getting root on the box. You do a port scan on the box and find that kibana is listening and looking at the kibana version[6.5.4] you find that, that specific version is vulnerable to remote code execution on the box and you find an exploit, exploit the service and get a shell on the box user done !!!!. Looking around you find that there’s a python3 binary on the users directory owned by root that has capabilities set do some magic with it and get root on the box. Though there’s an exploit For that specific version we are going to exploit it manual since it more fun and a learning opportunity. Without much say let's jump in.
As always we are going to start of with a port scan to see the services that are running on the box and and if we are lucky get a version number of a service from the nmap result indicating that the service is exploitable then do exploitation and get a shell on the box
Looking at the nmap results we see that two ports are open SSH and HTTP
Looking at the webpage we get a standard webpage nothing strange
Glancing at the source nothing really stood out. so i decided to run a gobuster but found nothing special. I had hit a dead end but the box has kibana that’s the hints we are given by tryhackme.com so i decided to go online and search for kibana default port and i found an article telling me that the default port for kibana is 5601
I decided to see if the port was open using netcat
And voila we successful connected to the port. If i had done i full port scan with nmap i could have found the port but i did only the Top 1000 ports since it’s much faster my bad :( .
I decided to open kibana using my web browser
And got a kibana instance installed. The next thing i decided to do was exactly determine the version number of kibana and i did this by going to Management tab
Looking below we see that the version of kibana running is 6.5.4
Next i went to google and try to find if it had any vulnerabilities and found a post that had a proof of concept on a remote code execution vulnerability
So i decided to read the blog post and we see that there was a poc payload given on the blog post
Am sure this code looks familiar to many of us since it’s a node code execution payload incorporated with a reverse shell
The kibana module that was vulnerable was timelion and executed the js command that we passed it
Let’s try passing our payload to timelion and intercept the request with burpsuite
Now lets send the request to repeater
Now let’s explain what the payload will be doing
Now in my local box box i did setup a tcpdump listener that will listen on inbound ICMP traffic
Then i executed the request and going back to the tcpdump listener we got a call back
Spoiler: The vulnerability is a blind command injection meaning you won’t get an output on the screen so don’t use command that are target dependent to determine whether the payload worked or not (eg. whoami or ifconfig)
Now the next step is getting a reverse shell on the box. The payload that i will use is the one down below
Since all others failed to work
I did set up a netcat listener on port 9001
Then executed the payload from burpsuite repeater tab
Going back to my netcat listener i had spawn a shell
If you don’t get a shell or callback it’s a socket problem
Try sending the second request to that socket
Sweet Going to the user’s home directory we have the user flag and we can read it
Now we can submit the flag and earn the points
Next it’s time for privilege escalation to get root on the system
For this i downloaded linpeas to the system and ran
Looking at linpeas result we see that there is a python3 binary in Kiba’s home hidden directory .hackmeplease that has capabilities enabled this configuration can be abused to escalate our privileges to root on the box
Using a simple one liner command in GTFOBins
And After we ran the command looking above we have a root shell on the box now we can read the root flag
We can submit the root flag and earn the points and the box is pretty much done
If you wanted to check only for binaries with capabilities you could use the command
getcap -r / 2>/dev/null{2>/dev/null is an addition to tell the terminal not to show us std errors on the screen}
That’s it for now guys till next time it’s goodbye for now
References:
- Python exploit script
- https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
- https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability
If you liked the walkthough you can clap for me down below and don’t forget to follow me for more wakthroughs