KIBA Write-up | TryHackMe | by Valerie23

 LINK TO THE ROOM: KIBA

Kiba is an easy level room based on Kibana.

Kibana is an open source frontend application and exploration tool used for log and time-series analytics, application monitoring, and operational intelligence use cases. It offers powerful and easy-to-use features such as histograms, line graphs, pie charts, heat maps, and built-in geospatial support.

So, the first question is asking us about a vulnerability that is specific to programming languages with prototype-based inheritance. The answer can be easily obtained by a small google search.

NMAP ENUMERATION

You can either run the full nmap scan to scan each and every port using the switch -p- but it will take a lot of time or else simply google search for "Default port for kibana" and you will get the port number that is missing in the simple nmap scan whose output is shown below.
5601 is the default port that is used to access kibana.
The command that i used here is
nmap -Pn -sV -v 10.10.10.197


WEB ANALYSIS

On visiting port 80. We are able to see a statement that says "Welcome, "linux capabilities" is very interesting." This is a hint that we can use for escalating our privileges once we get a shell as a low privileged user.


Time to visit the other port, port 5601

In the url type your machine IP:PORT 


Click on Management in the left and you will get the answer for 2nd question.

KIBANA EXPLOIT

Time to google about kibana exploit, well we can easily find it here through this link
https://github.com/LandGrey/CVE-2019-7609/blob/master/CVE-2019-7609-kibana-rce.py
Now click on "raw" and copy and paste the code into a file with .py extension in your system 
OR
download the exploit using the command
wget https://raw.githubusercontent.com/LandGrey/CVE-2019-7609/master/CVE-2019-7609-kibana-rce.py
Time to run the exploit
Start nc using the command nc -lvp 9999

On the bottom one we have started nc to listen on port 9999, you can use any other port.
And now we can read the user flag.

PRIVILEGE ESCALATION

From the phase of web analysis we already have a hint for escalating our privileges and that is using capabilities.
So, lets check the capabilities that are set using the command below:

getcap -r / 2>/dev/null




The python3 capability is the one that we can exploit

Lets visit gtfobins and search for python capabilities it will provide us suitable commands for exploitation.

https://gtfobins.github.io/


We don't need to run the first two commands since they are being used to locate python and then set the capability, we have an already set capability so we only need to run the third command but before that we need to do a bit of modification to this in order for it to run successfully.

Look closely to the output of getcap -r / 2>/dev/null 

And move to the directory where python3 is located

cd /home/kiba/.hackmeplease then run

./python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
Since here python3 is stored as a file we used "./" for running it. If it was stored in /usr/bin i-e "as a command" then we would have simply written 
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

The switch -c is used for executing python code as a command or in simple words it is used for running several python statements in one line. Firstly, we are importing os module. Secondly, we are using the setuid function for setting the id as 0 (0 is always the id of root). Thirdly, we are running "/bin/bash" as root user which finally gives us a shell as root user.

I have tried to include almost every detail so that even a complete beginner don't have to face much of a trouble while solving the room.

Thankyou for reading.


                                                                                  -by Valerie23


Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more