 Hello everyone, my name is John Hammond. Welcome back from the YouTube video and we're looking at a little bit more try hack me. So this is actually a super duper new and recent room. This is Kibba and I think it just got released a day ago, at least the time recording. So it says identified the critical security flaw in the data visualization dashboard that allows to execute remote code execution. It is marked as a difficulty of easy. It's kind of a sure quote unquote beginner box, but I wanted to showcase it because I think it has kind of really interesting, cool technique and gimmick and trick because this is showcasing Kibbana if you couldn't tell between the name and the icon here. So when I think of Kibbana, I don't normally think of some insecure technology and platform, normally I think like, hey, that's the real stuff, that's the good stuff that's kind of out there in the world today. So I thought it was cool, let me showcase it and let's go ahead and dive in. I've spun up this machine already. It does take a little bit of time to go ahead and provision and everything. It says, hey, this machine may take up to seven minutes to boot and configure, but I hopefully have let that run for a little bit of time. I have my answers already filled in here that's just kind of the difficulty and that I can't clear all my answers. It's just too, it's up to the creator of the box or the room owner and the room creator. I can't do that, so forgive me, but I'll walk through how we answered all of those. The first question is what is the vulnerability that is specific to programming languages with prototype-based inheritance? So this is asking for a vulnerability and just me knowing kind of off the top of my head, conversations between prototype and vulnerability, you often hear a prototype pollution and that's kind of a common one. I think that is more and more prevalent now or I hear it and discuss it and have that conversation when you discuss with people that are doing bug bounty or playing some other cool web oriented capture the flag stuff or doing pen testing. If you didn't know that answer off the top of your head, you could just simply Google like the vulnerability specific to programming languages with prototype-based inherences and you could absolutely totally find an answer right away. So that is how you could track that answer down. And then it actually wants us to work with the machine. It says, what is the version of the visualization dashboard that's installed on the server? So let me go ahead and play with this machine here. I will go ahead and run Rust Scan as that is the cool crazy thing that we're doing now to go ahead and speed up our end map process. Looks like it has port 22 open for SSH, port 80 open on HTTP. I don't know what that 5044 is. I don't think I really needed to do too much with it but 50601 is actually the default port that Kibana will run and Kibana being that great blue team kind of log oriented tools. So let me go take a look at this machine. I'll look at port 80. It says, welcome Linux capabilities is very interesting. Kind of interesting, not a ton there but since this is named Kiba and the icon is Kibana logo, maybe I should better be working out with Kibana over on that port 5601. So this will load right up for me at a load Kibana. I've seen this be a little bit slow and a little bit funky. So forgive me if I have to pause the video every now and again but if this is going to be the great visualization dashboard I kind of wanted to get an idea of what version this is running as and it asks us that here. What's the version of the visualization data dashboard installed here on the server? The way that I found this out was actually just kind of looking through the source code. I hit control U on my keyboard and I would just simply search for version. It looks like it actually had this noted here in the theme of CSS. It is 6.5.4 and that's what I was able to determine just by control effing version looking at the source code and that's the answer you could fill in there. You could also find that if you hop over to the management tab it should display that right here version 6.5.4 and that is good to know that leads to some good information because it leads you on to this next question. What is the CVE number for this vulnerability? This will be in the format of CVE number, number, number, number, number. So I would go ahead and Google this. That would do a little bit more research here. I would look for Kibana, I guess vulnerabilities and I could see some that might be open and available over on the CVE details, et cetera, et cetera. And I'm trying to find something that will be at least along the same lines of prototype pollution. If I wanted to I could kind of zoom in on this search. I could be looking for Kibana prototype pollution and you can actually see that in my previous searches here. Looks like they do have one notion exploiting prototype pollution to get RCE in Kibana and it has CVE 2019, so that looks promising. Looks like it's CVE 2019 7609. So I would go ahead and submit that and that was the correct answer. Now I need to do a little bit more research as to how could I compromise this machine and actually get on the box. So I did some peculiar things. I just obviously did some research on this CVE. Tried to see if I could learn a little about it, see if I could actually find some proof of concept code and we do have a lot of things that we could be looking for. If you aren't finding like a proof of concept like a tact script or some code, a lot of times a good thing to do is to just look for like GitHub and include that in your search term or exploit or whatever you want. That's pretty easy to make it, I don't know worthwhile finding these and this GitHub page itself is what I ended up using but let me actually kind of give us a little bit more background on what this vulnerability is and I'll try and dive into it because so we don't just like hit the I believe button and run this attack script like a little script kitty. I have no shame in admitting and saying, yeah, absolutely I'm totally a script kitty but I like to learn a little bit more about it behind the scenes, right? Kibana versions 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the timeline visualizer. An attacker with access to the timeline application could send a request that will attempt to execute JavaScript code. This could possibly lead an attacker to executing arbitrary commands with permissions of the Kibana process on the host system. Okay, looks like it references a couple of things here but that's all the info that will really give us on that. So that's totally fine. Okay, Kibana versions before this for those version numbers. So our version number that we found 6.5.4 is in that range. Good stuff. Let me look at this exploit code and kind of see what's going on here. This has the exact same explanation. Do I have that timeline visualizer thing? Is that actually in the Kibana instance? Oh, I do. I do have timeline right here. And once that loads, welcome to timeline. This is the clawing, gnashing, zebra killing, pluggable time series interface for everything. Okay, it just sort of creates a timeline understood. I get the joke with timeline. Nice, super nice. And I guess this looks like some input. Maybe just running JavaScript code or something. I don't know. I don't know all the behind the scenes of how that works. Tutorial focuses on elastic search. Oh, .es. Pull data from an elastic search engines. Oh, it'll give me some help. That's kind of nice. That's kind of neat. And you could view the tutorial if you want to do a little bit more with that. I'm more interested in trying to break it and kind of abuse it. Found by security MB. I've tested this attack on Kibana 6.6.0, but it was not working. That's fine. We're at a lower version of that. On my side, only version of Kibana, Kibana less than 6.6.0 are vulnerable, as explained. If Canvas panel is not accessible, check this right up from Synactive. Ooh, I guess we could take a look at that. But what is Canvas? Looks like the exploit is just these steps. Open Kibana, paste one of the following payloads and the timeline visualizer. Click Run on the left panel. Click on Canvas and you should get a reverse shell. Okay, cool. Should I just like press the I believe button on that? Let's do it. Let's do it to see if it will work first. And then let's kind of deep dive as to how that all works. Let me go ahead and paste all this in so I can modify this to actually get my IP address in here. So I'm running with my ton zero address as 22132. Perfect. So let me swap that in as to where the attacker IP address is and I'll change it to port quad nine. And I see that elastic search kind of prefix there, everything that we had. So all I need to do is paste this in and hit run. Okay, I guess I should start a listener. LMVP quad nine, run, just to make sure. Okay, and that doesn't like do anything itself. The exploit said click run and on the left hand panel click Canvas. Does Canvas like trigger it or something? Click Canvas, running Canvas, loading Kibana. No reverse shell yet. Am I supposed to get one or does it take a little bit more time? Canvas is loading. Fingers crossed, will this work? Did I do this right? Let me pause and like let this low and see if it actually comes through with anything. Or actually, it gave me two payloads. Maybe that first payload just didn't work. Let's try the other one, payload by a different individual. So that one, again, I just need to kind of change out the IP address and ports. I'll go quad nine still, grab this and I'll go back to Kibana so I can modify that. That should be in timeline. Let this load, this takes a while. Okay, slap that in, hit go. Oh, and then it just did it. What, hang on. Did I do that out of order or something or how did that go through? Let me just do a little sanity check. Let me change this to like port 8888. Cause I thought it needed me to, it needed me to click on Canvas. Let me run this one more time. Run this and that's not just going to straight up do it. I see Kibana loading up on the top. So I just want to let that finish or maybe it's still stuck. Maybe it's just trapped cause it already has a reverse shell. If I go to Canvas, does it just do it again? I don't want to accidentally lose this shell. Yeah, now Kibana is just kind of like running slow. Oh no, is that shell still a thing? It is, it is ID. Oh no, no, no, it's not. Okay, I super duper broke it. Great. Let me kind of get my head straight again. I'll pause the video here. Okay, so I reset the blocks and I just kind of want to see if that will behave any better. I guess I broke it. When I was going through this kind of beforehand I would see kind of a similar thing or sometimes it would just be really, really funky and kind of mess up. But let me run this with Quad9 now as the reverse port and that's set. So now when I go to Canvas, I have the listener waiting over here and hopefully that will spawn and go ahead and create it. Maybe it just takes a little bit of time. Maybe I was too impatient. Okay, that just came right through. So it works, like it's a thing that happens but let's kind of explore a little bit more. I want to dive under the hood but before I do, I do want to showcase this other utility and I actually see a few more. It looks like there's another GitHub repository that does a similar thing. I see this yucks one and I see this land gray. Land gray and yucks look almost identical. Like same screenshots, same exact code. Is this like forked? Oh, oh, duh. Okay, it's forked from that. Whatever, let's take a look at that land gray one because that's not the manual interaction that I was doing just a moment ago. That was actually a kind of automated Python script. It notes that it's Python two though. I wonder if it like actually is Python two. Cause if it is, maybe we'll have to clear that up a little bit. So let's suble that. Get Kibana version. Okay, it's using requests. I don't see anything wrong. Yet. Print statements all have quotation marks around it. It's using argpars. Yeah, maybe this should work just fine. That's worth a try. So I can run that with Python three CVE and then I need to specify the URL with HTTP and the port. So let me try that. Again, maybe this thing will whine at me because I already have a shell, but tag tag host 10 to two, one 32. Tag tag port should be, yeah, let's use 888. Can I do that? If I start up a little neck at listener quad 888 or is it gonna unrecognized arguments? What? Oh, I have a two quotation marks here or two hyphens, two dashes. And I don't need to have that. Try that. Oh, okay, I do see that issue where it does kind of need to be using bytes rather than strings here. What line is that on? 23, get Kibana version. It's using regular expressions. 23, find all patterns equals all that and content is already in bytes. So if I had a B prefix, will those be bytes and will that be just fine? Or else do we use regular expressions? That's the only spot, okay? Can I run that again? Nope. Line 33 and version compare. If not version, if not version compare. So, 33, 33. Strict version? What does that mean? Disutils version, strict version. And Kibana version. Do we need to do that? Do I need to do a version compare? Or can I just, can I make these bytes because that's apparently what's calling that? Like, we know that this thing will fire. We know that this will work. Let me try and run that again. Have the exact same issue. Just trying to correct things over in bytes. That's just getting in the way. You know, don't bother. Don't bother running that. Let's try and run it again. Bites like object is required, not a string. Be in get content. Content will definitely be bytes. Are headers going to be bytes? Do I need to correct that? Verify that. Okay, maybe exists but it didn't run it. You know what? We should put that away because we've been able to run it successfully already and I don't want to lose that shell again as I might have already. Okay, no, that's still responding to me. Good, good. Let's put that away and know that, okay, we could kind of control a little bit more of that Python two script. Correct that to Python three if we wanted to. But let me review this GitHub section here because this explains like, if you want more of a detailed analysis to what's really going on. And I did because I don't often work with prototype pollution. Like, I'm not super smart on that vulnerability. So I kind of wanted to go check this out and I wanted to learn more about it. They had a slide deck here and there is an article. Where's the original article? Oh, we already had that link up. It's this WordPress thing from Securitum. Exploiting prototype pollution RCE in Kibana by Michael Bintowski. And that must be security MB. Yeah. Prototype pollution is vulnerability that's specific to programming languages to prototype based inheritance. The most common one being JavaScript. That is literally the first question in this try hack me room. Well, the bug is well known for some time now. It lacks a lot of practical examples of exploitation. But in this post, we'll show you how to do it with Kibana. It's also released as a presentation and those are the slides that we were looking at. Yep. So I can work through these. Very cool. Very, very cool. Anyway, let me kind of walk through this a little bit. I hope you don't mind prototype based inheritance. Let's create a simple object in JavaScript. So an object with these properties defined. Property one is going to be set to one and property two is going to be set to two. Two properties. And we can access them with the dot selector as we usually do. But interestingly enough, those aren't the only ones we can access though. We could run two string on it or check out the constructor or has own property. But how the question is, how can we access those if they aren't defined here as they should be and we're listing that out? The answer is that it has inheritance or the prototype of objects that kind of came before it. So I guess I parallel this to some Python thing where you can kind of control variables that are either in a different object scope or a parent scope because of interesting things. Anyway, sorry, that's probably a DURL that we don't need to get into. You can determine what the prototype is by running object to get prototype of your object variable or simply checking out object dot dunder proto or double underscore proto. So while we've defined that object, it doesn't return anything but if we check out object dot proto, then we have like this whole list and section of different variables we could access. And it is going to be the exact same thing as object dot prototype. Cool. So prototype pollution is when you could overwrite those properties of object dot prototype like those higher up things between two string constructor or has own property that don't really exist in that object itself, but would in the layer above that or that parent or that prototype, right? So the most commonly shown example is the following. If user is admin, do something important, imagine that we had a prototype pollution gimmick that makes it possible to set that object prototype is admin to true. Unless the application explicitly assigned that value, then that user dot is admin is going to be set to that value. It's going to be always true. That's kind of interesting. So we have maybe a user object and prior to actually creating that object, we've specified the prototype is admin is going to be true. User will inherit from that or have that property, have that information. And since it's not going to be set or configured to change the is admin value, it will just inherit and have that value to be true. User is admin is true. That prototype will kind of lead through. That's neat. So in Kibana, looks like they were looking through this at kind of like a training organization or some training event, that's really nice. The question is, how could you escalate from prototype pollution to remote code execution? If we want to find the source of this vulnerability in Kibana, you can see it in the timeline visualizer. Okay, that's the vulnerability that they were looking for. They got in timeline, we can write expressions, visualize some data. So when we saw that syntax, the dot ES per like parentheses, using props, not only strings can be assigned to properties, but also objects. So we could set the label of the timeline, like to be whatever we wanted to ABC in that case. If we were to use that with an object X to be set to ABC, then we're getting closer to exploiting prototype pollution, because you could do peculiar things with that. You could go ahead and reach that objects prototype with that dot underscore underscore proto. Now we've assigned a new property to that object prototype, and that's how we could potentially abuse it. Obviously kind of the most egregious and obvious and blatant and outright case of prototype pollution of if an object has JS code or JavaScript code or some variable attached to it. And for some reason, the program was running an eval on that objects JS code. Then boom, if you had your prototype pollution, you could just arbitrarily run code. That'd be great and that'd be fantastic. Doesn't look like what they found here. They did notice something peculiar and interesting in Canvas though. When they clicked on it, they noticed a huge amount of errors in the console. It seemed like running that Canvas or checking out that portion of the dashboard was actually trying to start up another process of node or node JS or JavaScript. It's actually running this all server side. They actually took a look at this if they ran it in Chrome Inspect and debug it, you could see that child process spawn method, therefore trying to start a new process. That's good news, because maybe we could abuse that and we could do something like actually spawn a reverse shell or programs or something that might be more worthwhile for us as the attacker. Looks like they actually used the method normalize spawn arguments, which is a paradise for prototype pollution. And they do an interesting thing because they're gathering all of the environment variables as part of that vulnerability or part of Kibana. Options.env was not defined by default, which meant that it could be polluted and we could abuse that and take advantage of it. In the snippet, there's a for loop that iterates over all the properties of env and adds them in the array in the form key equals value. And we see that there for var key and environment, it has a value set to the value in the environment of the key and we'll add it in. Because options.env can be polluted, I can control what environment variables are passed. This seemed peculiar and kind of maybe worthwhile and interesting from the attacker because the node options variable, which you could pass to node might allow you to actually specify something like eval and be able to run code. The thought process was to set node options set to evalconsole.log to execute code, but that didn't work. Looks like that was actually not allowed and maybe they were trying to prevent that. But you could use something else peculiar and other something interesting. You could have require. You could use require to load up a JavaScript file on startup. That argument would also work in node options. So node attack, require and then a file to load. That could be something that we could pull out and we could work with. Setting that environment variable while node is kickstarting through Canvas and if it's going to require a file, maybe we could somehow get a file with JavaScript code. How could we do that? Maybe some functionality where you could upload a file that would work but maybe that we didn't have to do that whatsoever. Looks like Michael here. That is his name, right? I'm not saying that wrong. Yeah, okay, cool. He thought like let's take a look at that proc self environment file because in the Linux file system that'll be like a real data that'll allow you to actually list out all the environmental files, excuse me, environment variables of the current running process. So because they could actually do this prototype pollution and they could control environment variables they could control that proc self environment file and maybe they could set an environment variable and they actually put it at the very, very top of the file. They're using an environment variable with all A's. So the very, very first thing alphabetically AAA is going to be console.log and then include a JavaScript comment. So the whole rest of the environment variable file proc self environment is commented out and it looks like valid JavaScript code. Kind of neat, kind of interesting cause then you could get through all of that. You could use this prototype pollution to not only control the environment variables and pass along these node options so that while you require that object you could go ahead and execute code. You can require that JavaScript file that's literally your environment variables and you get code execution. So all of that to say you're using that underscore proto with their environment setting and all A's environment variable setting that to JavaScript code require child process and execute the syntax to get a reverse shell. And then in that properties you're specifying the node options to now go ahead and require the environment file that proc self environment that will have that code in there. Super duper cool. Now when you run it, you've got your reverse shell. That's kind of neat. That's kind of crazy cool. I know I probably talked about that for way too long and I didn't really need to. Maybe you don't care but I thought that was very, very cool and I hope it kind of showcases the behind the scenes of what's really happening with that vulnerability and helps us understand it a little bit more. And for one thing maybe that'll give you a better idea as to what's really happening with prototype pollution cause I hadn't seen that or done that before and I want to learn a little bit more about it. Like that's why this was kind of cool. That's why this was neat. If you'd like to, you can go check out the slides here looking through that blog post or that WordPress article. I think we'll do a little bit more for you than just kind of trying to peruse through these slides cause obviously the presentation without someone giving the presentation like without the presenter is kind of hard to follow. But hey, you could probably stitch it together with everything that we've just discussed because seeing how that prototype pollution works. Okay, that is enough distraction. Let me see if I still have a shell here ID. Looks like I do. Okay, let's get back to what we were doing. Let's check out if we actually have Python three. Looks like I do. Okay, so I'm gonna run stabilize shell three just my little poor men's pentascript to stabilize this shell. Now I can clear the screen without being concerned and I will switch over to the home directory home kibba, good. And I can cat out that user.txt. Great, so there's the try hack me portion of this video and conversation. We could slap that in, get our points there. And now we will actually need to perform some privilege escalation, which is going to be kind of standard and kind of normal for all the other usual try hack me videos that I do and stuff here. I think the real meat of this video and the conversation was really on that prototype pollution and how we could run that vulnerability and exploit against an older version of Kibana. That's super duper cool to me. Anyway, looks like we need to check out some capabilities. Looks like Linux capabilities are those kind of file system properties or those things that access layer that provides a security system divided or segmented or compartmentalized root privileges into different values. So some programs or some files might have Linux capabilities and they can do particular things. Oftentimes it can be used to or maybe abused to gain new privileges or permissions. So you can mark that as complete and then you would might be search for how could you actually determine those capabilities? So Linux, check file capabilities. Simply Googling that, there we go. File capabilities on Linux. I'm just kind of clicking around as I usually do to do some research. So I know that these are things. Oh, get cap is get cap like a command. Oh, man. Yeah, so it looks like they are running some things. Is there some command that I can run to determine what files have what capabilities? Lin piece does this like Lin piece will just do it for you and maybe we could open that up if we wanted to. What is that question asking? How would you recursively list all these capabilities? List capabilities. This gives like a stack overflow or anything. Anything easy that I could use or work through. How to manage Linux file capabilities. Yeah, it's gotta be a command. I was just here. I saw get cap, get cap. Can get cap be recursive? Oh yeah, get cap can also search recursively with attack r flag. For example, get cap slash r forward slash. Okay, dash r slash forward slash. Yep, and that's how it would do it. Sorry, forgive me. I know there was like broken illusion there because the answer is literally right in front of me but I'm kind of playing dumb to that so you get the process of doing this. Let's go ahead and see what that would do for us. Let me run our get cap and I will redirect two to DevNol or standard error to that and it looks like there is a home kibba.hack me please Python three and that has a set UID capability. Okay, so that's gonna be big for us because if it has set UID, we could potentially use that to set the user ID or UID to zero and become root. So what I would do is I would take that program that has that capability. I would import OS because it's Python. It's literally Python three. If I were to try and run it just to kind of verify and we don't need to do it with taxi as an argument if you don't want to we'll just literally import OS, OS dot set UID, I think get UID is a thing too. So you can see the transition here. Yep, currently I'm running as the user but if I set UID to zero now running get UID one more time now I'm zero because I've just set that and this program has a capability to do that. Then I can go ahead and run bin bash and now I'm root. That's that. That's us winning and that's us rooting that box. So let's hop over to root and grab that root dot text. Easy peasy, cool. So sure, a easy room, a beginner like low difficulty room but I hope the cool stuff there and the neat conversation was exploring prototype pollution and doing remote code execution in Kibana which you wouldn't think to have like a big vulnerability like this but I mean this was not too all that much long ago. That wasn't too far ago. What am I trying to say? That wasn't all that long ago. October 30th, almost into this year and prototype pollution is kind of neat and kind of cool so I wanna learn a little bit more about it. Anyway, I've talked for a long time and this has been much longer of a video than it needed to be but I hope you enjoyed it. I hope you were sticking with me and thank you so much for watching. If you did like this video please do press that like button. Please do maybe leave me a comment do some of that YouTube algorithm things. I'd be super duper grateful if you could subscribe. Thanks so much and that's it. That's enough of me talking. I'll see you guys in the next video. Thanks so much. Love you. Take care.