CTF Walkthroughs, TryHackMe

TryHackMe – Kiba Walkthrough

Introduction

This was an easy Linux machine that involved exploiting an arbitrary code execution vulnerability in the Kibana web application to gain initial access and the Python3 binary with the cap_setuid capability assigned to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified two open ports: port 22 (SSH) and port 80 (HTTP).

When performing an additional scan with the -p- flag, in order to scan all ports, two new ports are found:

The next step will be to start enumerating HTTP and port 5044/5601.

Enumerating HTTP

When accessing the web server on port 80 through a browser, the following page is displayed:

It mentions Linux capabilities which will be useful later on, but right now it isn’t too interesting.

On the other hand, port 5061 takes to Kibana, a data visualization software that communicates with Elasticsearch to create graphs and dashboard, often used as a Security Information and Event Management system.

It currently does not require authentication, and when navigating to the management page, it reveals its current version:

It appears to be affected by a remote code execution vulnerability, as seen on the Elasticsite:

Exploiting Kibana Code Execution

When searching for the CVE number on GitHub, a few repositories seem to be available:

The following repository contains a Python script that can be sued to exploit this vulnerability found the following repo

Cloning the repository and executing the exploit to view the available options:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the script providing the URL to the Kibana instance, the local host and port and the –shell argument:

The exploit has provided a reverse shell as the “kiba” user.

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to the local host
  • Running “stty raw -echo” on the local host
  • Hitting “fg + ENTER” to go back to the reverse shell

Privilege Escalation

There are various tools that can be used in Linux to list capabilities, but one that is usually installed by default is GetCap:

Running the following command to list current capabilities:

getcap -r / 2>/dev/null

a Python3 binary seems to have cap_setuid+ep enabled, upon consulting GTFOBins, it appears this can be used to escalate privileges, as it allows to execute it with SUID privileges:

Executing the following command to run Bash as root:

/home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

This has now granted access to the machine as root.

Conclusion

This was obviously a beginner-level box, but still pretty interesting to see how software that is meant to help protect organisations through log monitoring can sometimes be the source of vulnerabilities.