Sirol
Proving Grounds PG Practice Sirol writeup
Nmap
Port 5601 is hosting Kibana. Looking through the management option on the left shows we are running version 6.5.0.
Researching vulnerabilities on Google regarding this version takes us to a RCE exploit abusing the Timelion feature.
From here I used the second payload shown on the GitHub and pasted this into Timelion to point back to my IP and port 5601.
If you are unable to get code execution reset the machine and try again in a incognito browser window.
From here and as per the GitHub instructions hit the run button and then set up a netcat
listener to the specified port.
After then browsing to the 'Canvas' page we should receive a root shell back on our listener.
Listing everything inside the '/' directory shows a .dockerenv file. This combined with the hostname of 0873e8062560 means we are likely running inside a docker container.
Using the command fdisk -l
we can list the hosts disks.
We can then create a directory and attempt to mount /dev/sda1 to it so we can see if we can browse the hosts file system.
References:
Last updated