Blog

Introduction

Kiba is a beginner-level challenge from TryHackMe. The point of this challenge is to “Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.” By identifying the vulnerable service, and their public CVE’s, we can find an exploit that will give us a foothold onto the server and abuse Linux capabilities to escalate privileges to root.

Information Gathering

The first question of this challenge: What is the vulnerability that is specific to programming languages with prototype-based inheritance? I did not know the answer, but I did know where to find it. After a quick Google search, we got the answer. It is Prototype pollution.

To start this challenge, we will use Nmap to scan the server for its open ports.

On Port 5601, we can see that an application named Kibana is running on the server. Kibana provides “search and data visualization capabilities for data indexed in Elasticsearch… It also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster“.

The answer to the second question can be found hidden within the website’s source code. The version of Kibana they are running is version number 6.5.4.

Now that we know the server is running Kibana version 6.5.4 it’s time to do some research and find if there are any public CVEs related to it.

Published on several large cybersecurity blogs, CVE-2019-7609 is a vulnerability that allows for remote code to be executed on servers running Kibana version 6.5.4. Luckily, one of the articles that posted about it links to a GitHub repository containing an exploit script.

Exploitation

All I had to do was download the GitHub repository, set up a netcat listener on port 4444, and run the script.

Post Exploitation

Finding the user.txt flag was trivial, all I had to do was change my directory to /home/Kiba and use the command cat user.txt.

Questions 5 and 6 give us a direction we can take to gain root privileges. Question 5 does not need to be answered, but it should be noted. Question 6: How would you recursively list all of these capabilities? The getcap -r / command will recursively examine file capabilities within the directory.

When running this command in the Kiba home directory, we can see that python3 = cap_setuid+ep. This means that I manipulate my user identifier to any number used to identify the user to the system and to determine which system resources I have access to.

This snippet from GTFObins allows me to use python to escalate my privileges to root by setting my uid to 0.

Now that we have rooted the box, we can change to the root directory and read the root.txt flag.

Conclusion

In conclusion, this was a really fun and straightforward challenge to complete. The questions were able to guide me in the right direction without giving too much away. Through this, I learned about Linux capabilities and how to exploit its privileges.