# Kiba

![](/files/-Mdmy51wIfnhDJU4Q3iF)

Lets search on google for the answer to the first question

![](/files/-Mdmyxvy-DD6Jrf_EnLf)

## Scanning

Lets run network scans to find open ports and services

![](/files/-Mdn-SD5RFwi0F92mbb_)

![](/files/-Mdn-MY1JpljiONOAPMk)

![](/files/-Mdn-q0d79_7RxDdk8HV)

## Enumeration

Lets check the webpage running on port 80

![](/files/-MdmzYeGBBa5HggLoE_V)

There is nothing. Lets check Port 5044

![](/files/-Mdn01KWMnZXh8LOpBnI)

Nothing. Lets check Port 5601

![](/files/-Mdn0BLkpFgRh9_F1zU0)

We have a Kibana app running, lets check the `version` in the Management tab

![](/files/-Mdn0NYWMcPKT6jqA38C)

Lets look for a vulnerability on this version on Google.

![](/files/-Mdn0pER9IMh2P_zauIg)

![](/files/-Mdn2crl-G2G_CpwTqmB)

## Exploitation

Looks like we found it. Lets download the exploit script.

![](/files/-Mdn15CgZF-nWBYAUN0X)

Lets look at the exploit

![](/files/-Mdn1a82WdPPn51NWdoC)

Looks like we have options to set, lets first start a netcat listener.

![](/files/-Mdn1hoVfO9LASoV7QBj)

Now lets run the exploit with the right options

![](/files/-Mdn2I6h2gDv9ElAhzs1)

![](/files/-Mdn2Kbug-KJMkXf7trF)

We have a shell, lets read the user flag.

![](/files/-Mdn2UgMUjf5RCp46SRA)

## Privilege Escalation

The next tryhackme question is talking about capabilities so lets go check how we can see capabilities in Linux.

![](/files/-Mdn41zydhbE6-9b1rgB)

![](/files/-Mdn6FA0I0BiNr-_S3Fa)

We can see what this capability is [here](https://man7.org/linux/man-pages/man7/capabilities.7.html).

![](/files/-Mdn50DSMhyBivq1P4TV)

Looks like we can change the `UID` with the `python3` file in the `kiba` directory, lets check it out.

![](/files/-Mdn5a-YrXJkIpwae1Jn)

Lets run the file and make it change our UID to 0 which is the UID for root.

![](/files/-Mdn5suoNQ9PME62rYH5)

We are now root, lets read the root flag

![](/files/-Mdn60J8lXG13ReNoJXN)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://writeups.adityadindi.com/tryhackme/untitled/kiba.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.