KIBA WriteUp Tryhackme

TASK 1: Flags

#1 — What is the vulnerability that is specific to programming languages with prototype-based inheritance?

Answer: google it so some research and you’ll find the answer.

#2 — What is the version of visualization dashboard installed in the server?

Connect to http://10.10.113.146:5601 and go to “management”. The version of Kibana is displayed on the top left corner.

#3 — What is the CVE number for this vulnerability? This will be in the format: CVE-0000–0000

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Answer: I gave the hint now find the answer.

#4 — Compromise the machine and locate user.txt

Also git clone the payload by clicking here

Start a listener(nc -nvlp 4444) and run the exploit:

Now we have the shell:

Once you cat user.txt you will get the user flag.

#5 — Capabilities is a concept that provides a security system that allows “divide” root privileges into different values

answer: No answer required

#6 — How would you recursively list all of these capabilities?

Answer: gtcap -r /

#7 — Escalate privileges and obtain root.txt

While checking the capabilities it reveals a custom pythom3 installation in /home/kiba/.hackmeplease/ :

Checking on GTFOBins what we can do with python related to capabilities reveals that we can escalate our privileges to root:

Let’s get the better shell and get the root flag. Use this website for best One liner payloads. And for reverse shell you can use this github repository.

Submit the flags.