You are currently viewing TryHackMe: Kiba

TryHackMe: Kiba

Introduction

Kiba is a beginner-level challenge from TryHackMe. The point of this challenge is to “Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.” By identifying the vulnerable service, and their public CVE’s, we can find an exploit that will give us a foothold onto the server and abuse Linux capabilities to escalate privileges to root.

Information Gathering

Kiba tasks
Task 1

The first question of this challenge: What is the vulnerability that is specific to programming languages with prototype-based inheritance? I did not know the answer, but I did know where to find it. After a quick Google search, we got the answer. It is Prototype pollution.

Prototype pollution

To start this challenge, we will use Nmap to scan the server for its open ports.

Kiba Nmap results
Nmap

On Port 5601, we can see that an application named Kibana is running on the server. Kibana provides “search and data visualization capabilities for data indexed in Elasticsearch… It also acts as the user interface for monitoring, managing, and securing an Elastic Stack cluster“.

Kibana dashboard
Kibana Dashboard

The answer to the second question can be found hidden within the website’s source code. The version of Kibana they are running is version number 6.5.4.

Kibana version

Now that we know the server is running Kibana version 6.5.4 it’s time to do some research and find if there are any public CVEs related to it.

Published on several large cybersecurity blogs, CVE-2019-7609 is a vulnerability that allows for remote code to be executed on servers running Kibana version 6.5.4. Luckily, one of the articles that posted about it links to a GitHub repository containing an exploit script.

Exploitation

All I had to do was download the GitHub repository, set up a netcat listener on port 4444, and run the script.

CVE-2019-7609
Kiba Exploit

Post Exploitation

Finding the user.txt flag was trivial, all I had to do was change my directory to /home/Kiba and use the command cat user.txt.

Kiba user.txt flag
user.txt

Questions 5 and 6 give us a direction we can take to gain root privileges. Question 5 does not need to be answered, but it should be noted. Question 6: How would you recursively list all of these capabilities? The getcap -r / command will recursively examine file capabilities within the directory.

When running this command in the Kiba home directory, we can see that python3 = cap_setuid+ep. This means that I manipulate my user identifier to any number used to identify the user to the system and to determine which system resources I have access to.

This snippet from GTFObins allows me to use python to escalate my privileges to root by setting my uid to 0.

privilege escalation

Now that we have rooted the box, we can change to the root directory and read the root.txt flag.

Kiba root.txt flag
root.txt

Conclusion

In conclusion, this was a really fun and straightforward challenge to complete. The questions were able to guide me in the right direction without giving too much away. Through this, I learned about Linux capabilities and how to exploit its privileges.

Kiba Solutions
Task 1 Solutions

This Post Has One Comment

  1. guraaa

    I love reading on your blog.. I read your writing. It’s easy to understand. Thank you for writing this

Leave a Reply