Kiba TryHackMe Walkthrough

As always we are going to start of with a port scan to see the services that are running on the box and and if we are lucky get a version number of a service from the nmap result indicating that the service is exploitable then do exploitation and get a shell on the box

Looking at the nmap results we see that two ports are open SSH and HTTP

Looking at the webpage we get a standard webpage nothing strange

Glancing at the source nothing really stood out. so i decided to run a gobuster but found nothing special. I had hit a dead end but the box has kibana that’s the hints we are given by tryhackme.com so i decided to go online and search for kibana default port and i found an article telling me that the default port for kibana is 5601

I decided to see if the port was open using netcat

And voila we successful connected to the port. If i had done i full port scan with nmap i could have found the port but i did only the Top 1000 ports since it’s much faster my bad :( .

I decided to open kibana using my web browser

And got a kibana instance installed. The next thing i decided to do was exactly determine the version number of kibana and i did this by going to Management tab

Looking below we see that the version of kibana running is 6.5.4

Next i went to google and try to find if it had any vulnerabilities and found a post that had a proof of concept on a remote code execution vulnerability

So i decided to read the blog post and we see that there was a poc payload given on the blog post

Am sure this code looks familiar to many of us since it’s a node code execution payload incorporated with a reverse shell

The kibana module that was vulnerable was timelion and executed the js command that we passed it

Let’s try passing our payload to timelion and intercept the request with burpsuite

Now lets send the request to repeater

Now let’s explain what the payload will be doing

Now in my local box box i did setup a tcpdump listener that will listen on inbound ICMP traffic

Then i executed the request and going back to the tcpdump listener we got a call back

Spoiler: The vulnerability is a blind command injection meaning you won’t get an output on the screen so don’t use command that are target dependent to determine whether the payload worked or not (eg. whoami or ifconfig)

Now the next step is getting a reverse shell on the box. The payload that i will use is the one down below

Since all others failed to work

I did set up a netcat listener on port 9001

Then executed the payload from burpsuite repeater tab

Going back to my netcat listener i had spawn a shell

If you don’t get a shell or callback it’s a socket problem

Try sending the second request to that socket

Sweet Going to the user’s home directory we have the user flag and we can read it

Now we can submit the flag and earn the points

Next it’s time for privilege escalation to get root on the system

For this i downloaded linpeas to the system and ran

Looking at linpeas result we see that there is a python3 binary in Kiba’s home hidden directory .hackmeplease that has capabilities enabled this configuration can be abused to escalate our privileges to root on the box

Using a simple one liner command in GTFOBins

And After we ran the command looking above we have a root shell on the box now we can read the root flag

We can submit the root flag and earn the points and the box is pretty much done

If you wanted to check only for binaries with capabilities you could use the command

getcap -r / 2>/dev/null{2>/dev/null is an addition to tell the terminal not to show us std errors on the screen}

That’s it for now guys till next time it’s goodbye for now

References:

  1. Python exploit script
  2. https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/
  3. https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability

If you liked the walkthough you can clap for me down below and don’t forget to follow me for more wakthroughs

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Musyoka Ian

Musyoka Ian

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(https://github.com/musyoka101), ExploitDB(https://www.exploit-db.com/?author=10517)