Sirol

Information

Navigating through this Proving Grounds VM presented quite a challenge. After further research, I was able to reach my objectives. Fun as always!

Enumerated Ports & Services

Findings

Rabbit holes

Webserver on port 80. Enumeration with feroxbuster did not find anything other than index.php:

The Website served a form to calculate:

Default installation of Kibana

Next up is the Kibana service on port 5601 which has a default installation which eventually led to enumeration of software version.

Possible RCE exploit for this version. Let's check it out!

RCE Vulnerability (CVE-2019-7609)

After executing exploit found on github, I received a reverse shell with root privileges.. huh? This easy??? Suspicious...

Looking for local.txt on the system...found it!

Rabbit hole again?

Loooking for proof.txt (find should help?)

After a few mins of digging and trying to find proof.txt and enumerate the system further, no wget, no curl, no nothing!!! again... suspicious!!!

After executing various Linux/Unix commands, I figured out it's a docker container!! DUH

Privilege Escalation

After confirming this was a docker container, I checked the capabilities I had under docker container as root user:

This translated to multiple permissions. Let's check by using capsh:

After trying multiple methods and searching in the webs, I found this link that contained information which helped escape the container by mounting the file system in /dev/sda1. This allowed for complete access to the filesystem and the curse of the black pearl.. /root/proof.txt:

Final notes

This challenge was fun enumerating! My research skills have definitely improved after practicing in Proving Grounds. Ready for the next one xD.

References

5601 - Pentesting Kibana - HackTricksbook.hacktricks.xyz

GitHub - Cr4ckC4t/cve-2019-7609: Kibana <6.6.0 RCE written in python3GitHub

Page not found - HackTricksbook.hacktricks.xyz