Sirol
Information
Navigating through this Proving Grounds VM presented quite a challenge. After further research, I was able to reach my objectives. Fun as always!
Difficulty
Hard
Community Rating
Very Hard
Enumerated Ports & Services
22
OpenSSH Server
TCP(6)
80
Apache 2.4.25 Web Server
TCP(6)
3306
MySQL DB Server
TCP(6)
5601
Kibana Web interface
TCP(6)
25007
?
TCP(6)
Findings
Rabbit holes
Webserver on port 80. Enumeration with feroxbuster did not find anything other than index.php:
The Website served a form to calculate:
Default installation of Kibana
Next up is the Kibana service on port 5601 which has a default installation which eventually led to enumeration of software version.
Possible RCE exploit for this version. Let's check it out!
RCE Vulnerability (CVE-2019-7609)
After executing exploit found on github, I received a reverse shell with root privileges.. huh? This easy??? Suspicious...
Looking for local.txt on the system...found it!
Rabbit hole again?
Loooking for proof.txt (find should help?)
After a few mins of digging and trying to find proof.txt and enumerate the system further, no wget, no curl, no nothing!!! again... suspicious!!!
After executing various Linux/Unix commands, I figured out it's a docker container!! DUH
Privilege Escalation
After confirming this was a docker container, I checked the capabilities I had under docker container as root user:
This translated to multiple permissions. Let's check by using capsh:
After trying multiple methods and searching in the webs, I found this link that contained information which helped escape the container by mounting the file system in /dev/sda1. This allowed for complete access to the filesystem and the curse of the black pearl.. /root/proof.txt:
Final notes
This challenge was fun enumerating! My research skills have definitely improved after practicing in Proving Grounds. Ready for the next one xD.
References
Last updated