Exploiting Kibana - JavaScript Prototype Pollution

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone my name is john hammond welcome back from the youtube video and we're looking at a little bit more try hack me so this is actually a super duper new and recent room this is kibba and i think it just got released a day ago at least the time recording so it says identified the critical security flaw in the data visualization dashboard that allows to execute remote code execution it is marked as a difficulty of easy it's kind of a sure quote-unquote beginner box but i wanted to showcase it because i think it has kind of really interesting cool technique and gimmick and trick uh because this is showcasing kibana if you couldn't tell between the name and the icon here so when i think of kibana i don't normally think of like uh some insecure technology and platform normally i think like hey that's that's the the real stuff that's the good stuff that's kind of out there in the world today so i thought it was cool let me showcase it and let's go ahead and dive in i've spun up this machine already it does take a little bit of time to go ahead and provision and everything it says hey this machine may take up to seven minutes to boot and configure but uh i i hopefully have let that ran for a little bit of time i have my answers already filled in here that's just kind of the difficulty and that i can't clear out my answers it's just too it's up to the creator of the box or the room owner and the room creator i can't do that so forgive me but i'll walk through how we answered all those the first question is what is the vulnerability that is specific to programming languages with prototype-based inheritance so this is asking for a vulnerability and just me knowing kind of off the top of my head conversations between prototype and vulnerability you often hear prototype pollution and that's kind of a common one i think that is more and more prevalent now or will i see i hear it and discuss it and and have that conversation when you discuss with people that are doing bug bounty or playing some other cool web oriented capture the flag stuff or doing pen testing if you didn't know that answer off the top of your head you could just simply google like the vulnerability specific to programming languages with prototype based inheritances and you could absolutely totally find an answer right away so that is how you could track that answer down and then it actually wants us to work with the machine it says what is the version of the visualization dashboard that's installed on the server so let me go ahead and play with this machine here i will go ahead and run rustscan as that is the cool crazy thing that we're doing now to go ahead and speed up our nmap process looks like it has port 22 open for ssh port 80 open on http uh i don't know what that 5044 is i don't think i really needed to do too much with it but 5601 is actually the default port that kibana will run in kombata being that great blue team kind of log oriented tools so let me go take a look at this machine i'll look at port 80 it says welcome linux capabilities is very interesting kind of interesting not a ton there but since this is named kibba and the icon is cabana logo maybe i should better be working out with cabana over on that port 5601 so this will load right up for me it'll load kibana i've seen this be a little bit slow and a little bit funky so uh forgive me if i have to pause the video every now and again but if this is going to be the great visualization dashboard i kind of wanted to get an idea of what version this is running as and it asks us that here what's the version of the visualize visualization data dashboard installed here on the server uh the way that i found this out was actually just kind of looking through the source code i hit control u on my keyboard and i would just simply search for version uh it looks like it actually had this noted here in the theme of css it is 6.5.4 and that's what i was able to determine just by control effing perversion looking at the source code and that's the answer you could fill in there you could also find that if you hop over to the management tab it should display that right here version 6.5.4 and that is good to know that leads to some good information because it leads you onto this next question what is the cve number for this vulnerability this will be in the format of cve number number number number number so i would go ahead and google this that would do a little bit more research here i would look for kibana i guess vulnerabilities and i could see some that might be open and available over on the cve details etc etc and i'm trying to find something that will be at least along the same lines of prototype pollution if i wanted to i could kind of zoom in on this search i could be looking for kibana prototype pollution and you can actually see that in my previous searches here looks like they do have one notion exploiting prototype pollution to get rce in kibana and it has cve 2019 so that looks promising looks like it's cve 2019 7609 so i would go ahead and submit that and that was the correct answer now i need to do a little bit of research as to how could i compromise this machine and actually get on the box so i did some peculiar things i just obviously did some research on this cve tried to see if i could learn a little about it see if i could actually find some proof of concept code and we do have a lot of things that we could be looking for if you aren't finding like a proof of concept like attacked script or some code a lot of times a good thing to do is to just look for like github and include that in your search term or exploit or whatever you want that's pretty easy to make it i don't know worthwhile finding these and this github page itself is what i ended up using but let me actually kind of give us a little bit more background on what this vulnerability is and i'll try and dive into it because so we don't just like hit the i believe button and run this attack script like a little script kitty i have no shame in admitting and saying yeah absolutely i'm totally a script kitty but i like to learn a little bit more about it behind the scenes right kibana versions 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the timeline visualizer an attacker with access to the timeline application could send a request that will attempt to execute javascript code this could possibly lead an attacker to executing arbitrary commands with the permissions of the kibana process on the host system okay looks like it references a couple things here but that's all the info that'll really give us on that so that's totally fine okay kevana versions before this for those version numbers so our version number that we found 6.5.4 is in that range good stuff let me look at this this exploit code and kind of see what's going on here this has the exact same explanation do i have that timeline visualizer thing is that actually in the kibana instance oh we do i do have lion right here and once that loads welcome the timeline this is the clone gnashing zebra killing pluggable time series interface for everything okay it just sort of creates a timeline understood i get the joke with with timeline nice super nice and i guess this looks like some input maybe just running javascript code or something i don't know i don't know all the behind the scenes of how that works tutorial focuses on elasticsearch oh dotty s pull data from an elastic search engine oh it'll give me some help that's kind of nice that's kind of neat and you could view the tutorial if you want to do a little bit more with that i'm more interested in trying to break it and kind of abuse it found by security mb i've tested this attack on kibana 6.6.0 but it was not working that's fine at a lower version of that on my side only version of kapana kibana less than 6.60 are vulnerable as explained if canvas panel is not accessible check this right up from synaptic oh i guess we could take a look at that but what is canvas looks like the exploit is just these steps open kibana paste one of the following payloads into the timeline visualizer click run on the left panel click on canvas and you should get a reverse shell okay cool uh should i just like press the i believe button on that let's do it let's do it to see if it will work first and then let's and then let's kind of deep dive as to how that all stuff how that all works let me go ahead and paste all this in so i can modify this to actually get my ip address in here so i'm running with my ton zero address as two two one thirty two perfect so let me swap that in as to where the attacker ip address is and i'll change it to port quad nine and i see that elastic search kind of prefix there everything that we had so all i need to do is paste this in and hit run okay i guess i i should start a listener lmvp quad 9. run just to make sure okay and that doesn't like do anything itself the exploit said click run and on the left-hand panel click canvas does canvas like trigger it or something click canvas running canvas loading cabana no reverse shell yet am i supposed to get one or does it take a little bit more time canvas is loading fingers crossed will this work did i do this right let me pause and like let this load and see if it actually comes through with anything or actually it gave me two payloads maybe that first payload just didn't work let's try the other one pillowed by a different individual so that one again i just need to kind of change out the ip address and port i'll go quad 9 still grab this and i'll go back to kibana so i can modify that that should be in timeline let this load this takes a while okay slap that in hit go oh and then it just did it did i do what hang on did i do that out of order or something or how did that go through um let me just do a little sanity check let me change this to like port 8888 cause i thought it needed me to it needed me to click on canvas let me run this one more time run this and that's not just going to straight up do it i see kibana loading up on the top so i just want to let that finish or maybe it's still stuck maybe it's just trapped because it already has a reverse shell if i go to canvas does it just do it again i don't want to accidentally lose this shell yeah now cabana is just kind of like running slow oh no is that shell still a thing it is it is id oh no no no it's not okay i super duper broke it great let me kind of get my head straight again i'll pause the video here okay so i reset the blocks and i just kind of want to see if that will behave any better i guess i broke it and when i was going through this kind of beforehand i would see kind of a similar thing or sometimes it would just be really really funky and kind of mess up but let me run this with quad 9 now as the reverse port and that's set so now when i go to canvas i have the listener waiting over here and hopefully that will spawn and go ahead and create it maybe it just takes a little bit of time maybe i i was too impatient okay that just came right through so it works like it's a thing that happens but let's kind of explore a little bit more i want to dive under the hood but uh before i do i do want to showcase this other utility uh and i actually see a few more it looks like there's another github repository that does a similar thing i i see this yucks one [Music] and i see this land gray but land gray and yuck's look almost identical like same screenshots same exact code is this like forked oh oh duh okay it's forked from that whatever let's take a look at that lan gray one because that's not the manual interaction that i was doing just a moment ago that was actually a kind of automated python script it notes that it's python 2 though i wonder if it like actually is python 2 because if it is maybe we'll have to clear that up a little bit so let's sub all that get kibana version okay it's using requests i don't see anything wrong yet print statements all have quotation marks around it it's using arg parse yeah maybe this should work just fine that's worth a try so i can run that with python3 cve and then i need to specify the url with http and the port so let me try that again maybe this thing will whine at me because i already have a shell but tac-tac host 10-2-2-132 tac-tac port should be yeah let's use 888. can i do that if i start up a little neck at listener quad 888 or is it gonna unrecognized arguments what oh oh i have uh two quotation marks here there are two two hyphens two dashes and i don't need to have that try that oh okay i do see that issue where it does kind of need to be using bytes rather than strings here what line is that on 23 get cabana version it's using regular expressions 23. find all patterns equals all that and content is already in bytes so if i had a b prefix will those be bytes all that be just fine where else do we use regular expressions that's the only spot okay can i run that again nope line 33 inversion compare if not version if not version compare so 33 33 strict version what does that mean dysutil's version strict version and version uh do we need to do that do i need to do a version compare or can i just can i make these bites because that's apparently what's calling that like we know that this thing will fire we know that this will work let me try and run that again i have the exact same issue just trying to correct things over in bytes that's just getting in the way you know don't don't bother don't bother do it running that let's try and run it again by cycle object is required not a string be in get content uh content will definitely be bytes are headers going to be bytes do i need to correct that verify that okay maybe exists but it didn't run it you know what we should put that away because we've been able to run it successfully already and i don't want to lose that shell again as i might have already okay no that's still responding to me good good let's put that away and know that okay we could kind of control a little bit more of that python 2 script uh correct that to python 3 if we wanted to but let me review this github section here because this explains like if you want more of a detailed analysis to what's really going on and i did because i don't often work with prototype pollution like i i'm not super smart on that vulnerability so i kind of wanted to go check this out and i wanted to learn more about it they had a slide deck here uh and there is an article where's the original article oh we already had that link up it's this wordpress thing from security exploiting prototype pollution rce and cabana by michael bentowski and that must be security mb yeah prototype pollution is vulnerability that's specific to programming languages the prototype based inheritance the most common one being javascript that is literally the first question in this try hack me room well the bug is well known for some time now it lacks a lot of practical examples of exploitation but in this post we'll show you how to do it with kibana it's also released as a presentation and those are the slides that we were looking at yep so i can i can work through these very cool very very cool anyway let me kind of walk through this a little bit i hope you don't mind prototype-based inheritance let's create a simple object in javascript so an object with these properties defined property one is going to be set to one and property two is going to be set to two two properties and we can access them with the dot selector as we usually do but interestingly enough those aren't the only ones we can access though we could run tostring on it or check out the constructor or has own property but how the question is how can we access those if they aren't defined here as they should be and we're listing that out the answer is that it has inheritance or the prototype of objects that kind of came before it right so i i i guess i parallel this to some python thing where you can kind of control variables that are either in a different object scope or apparent scope because of interesting things anyway sorry that's probably a derail that we don't need to get into you can determine what the prototype is by running object get prototype of your object variable or simply checking out object dot dunder proto or double underscore proto so while we've defined that object it doesn't return anything but if we check out object.proto then we have like this whole list and section of different variables we could access and it is going to be the exact same thing as object.prototype cool so prototype pollution is when you could overwrite those properties of object.prototype like those higher up things between two string constructor or has own property that don't really exist in that object itself but would in the layer above that or that parent or that that prototype right so the most commonly shown example is the following if user is admin do something important imagine that we had a prototype pollution gimmick that makes it possible to set that object prototype is admin to true unless the application explicitly assigned that value then that user dot is admin is going to be set to that value it's going to be always true that's kind of interesting so we have maybe a user object and prior to actually creating that object we've specified the prototype is admin is going to be true user will inherit from that or have that property have that information and since it's not going to be set or configured to change the is admin value it will just inherit and have that value to be true user is admin is true that prototype will kind of lead through that's neat so in kibana looks like they were looking through this at kind of like a training organization or some training event that's really nice the question is how could you escalate from prototype pollution to remote code execution if we want to find the source of this vulnerability in cabana you can see it in the timeline visualizer okay that's the vulnerability that they were looking for and they got in timeline we can write expressions visualize some data so when we saw that syntax the dot es like parentheses using props not only strings can be assigned properties but also objects so we could set the label of the timeline like to be whatever we wanted to abc in that case if we were to use that with an object x to be set to abc then we're getting closer to exploiting prototype pollution because you could do peculiar things with that you could go ahead and reach that object's prototype with the dot underscore underscore proto now we've assigned a new property to that object prototype and that's how we could potentially abuse it obviously kind of the most egregious and obvious and blatant and outright case of prototype pollution of if an object has js code or javascript code or some variable attached to it and for some reason the program was running an eval on that object's js code then boom if you had your prototype pollution you could just arbitrarily run code that'd be great and that'd be fantastic doesn't look like what they found here they did notice something peculiar and interesting and canvas though when they clicked on it they noticed a huge amount of errors in the console it seemed like running that canvas or checking out that portion of the dashboard it was actually trying to start up another process of node or node.js or javascript that's actually running this all server side they actually took a look at this if they ran it in chrome inspect and debug it you could see that child process spawn method therefore trying to start a new process that's good news because maybe we could abuse that and we could do something like actually spawn a reverse shell or programs or something that might be more worthwhile for us as the attacker looks like they actually use the method normalize spawn arguments which is a paradise for prototype pollution and they do an interesting thing because they're gathering all of the environment variables as part of that vulnerability or part of kibana options.env was not defined by default which meant that it could be polluted and we could abuse that and take advantage of it in the snippet there's a for loop that iterates over all the properties of env and adds them in the array in the form key equals value and we see that there for var key and environment it has a value set to the value in the environment of the key and we'll add it in because options.env can be polluted i can control what environment variables are passed this seemed peculiar and kind of may be worthwhile and interesting from the attacker because the node options variable which you could pass to node might allow you to actually specify something like eval and be able to run code the thought process was to set node options set to eval console.log to execute code but that didn't work looks like that was actually not allowed and maybe they were trying to prevent that but you could use something else peculiar another something interesting you could have require you could use require to load up a javascript file on startup that argument would also work in node options so node attack tag require and then a file to load that could be something that we could pull out and we could work with setting that environment variable while node is kickstarting through canvas and if it's going to require a file maybe we could somehow get a file with javascript code how could we do that maybe some functionality where you could upload a file that would work but maybe that we didn't have to do that whatsoever looks like michael here that is his name right i'm not saying that wrong yeah okay cool he thought like let's take a look at that proc self environment file because in the linux file system that'll be like the real data that'll allow you to actually list out all the environmental files excuse me environment variables of the current running process so because they could actually do this prototype pollution and they could control environment variables they could control that proc self environ file and maybe they could set an environment variable and they actually put at the very very top of the file they're using an environment variable with all a's so at the very very first thing alphabetically aaa is going to be console.log and they include a javascript comment so the whole rest of the environment variable file proc self and viron is commented out and it looks like valid javascript code kind of neat kind of interesting because then you could get through all of that you could use this prototype pollution to not only control the environment variables and pass along these node options so that while you require that object you could go ahead and execute code you can require that javascript file that's literally your environment variables and you get code execution so all of that to say you're using that underscore proto with their environment setting an all a's environment variable setting that to javascript code require child process and execute the syntax to get a reverse shell and then in that properties you're specifying the node options to now go ahead and require the environment file that proc self environ that will have that code in there super duper cool now when you run it you've got your reverse shell that's kind of neat that's kind of crazy cool i know i probably talked about that for way too long and i didn't really need to maybe you don't care but i thought that was very very cool and i hope it kind of showcases the behind the scenes of what's really happening with that vulnerability and helps us understand it a little bit more and for one thing maybe that'll give you a better idea as to what's really happening with prototype pollution because i hadn't seen that or done that before and i want to learn a little bit more about it like that's why this was kind of cool that's why this was neat if you'd like to you can go check out the slides here um looking through that blog post or that wordpress article i think will do a little bit more for you than just kind of trying to peruse through these slides because obviously the presentation without someone giving the presentation like without the presenter is kind of hard to follow but hey you could probably stitch it together with everything that we've just discussed because uh seeing how that prototype pollution works okay that is enough distraction let me see if i still have a shell here id looks like i do okay uh let's get back to what we were doing let's uh check out if we actually have python 3. looks like i do okay so i'm going to run stabilize shell 3 just my little poor man's pen test script to stabilize this shell now i can clear the screen without being concerned and i will switch over to the home directory home kiba good and i can cat out that user.txt great so there's the troy hackme portion of this this video in conversation we could slap that in get our points there and now we will actually need to perform some privilege escalation which is going to be kind of standard and kind of normal for all the other usual try hacking videos that i do and stuff here i think the real meat of this video and the conversation was really on that prototype pollution and how we could run that vulnerability and exploit against an older version of kibana that's super duper cool to me anyway looks like we need to check out some capabilities it looks like linux capabilities are those kind of file system properties or those things that is that access layer that provides a security system uh divided or segmented or compartmentalized root privileges into different values so some programs or some files might have linux capabilities and they can do particular things oftentimes it can be used to or maybe abuse to gain new privileges or permissions so you could mark that as complete and then you would maybe search for how could you actually determine those capabilities so linux uh check file capabilities simply googling that there we go file capabilities in linux i'm just kind of clicking around as i usually do to do some research so i know that these are things oh get cap is get cap like a command oh man yeah so it looks like they are running some things is there some command that i can run to determine what files have what capabilities lin p's does this like lin p's will just do it for you and maybe we can open that up if we wanted to what is that question asking how would you recursively list all these capabilities list capabilities this is like a stack overflow or anything anything easy that i could use or work through how to manage linux file capabilities it's got to be a command i was just here i saw getcap getcap can get cap be recursive oh yeah get cap can also search recursively with attack r flag for example get cap slash r forward slash okay dash r slash forward slash yep and that's how it would do it sorry forgive me i know there was like broken illusion there because the answer is literally right in front of me but i'm kind of playing dumb to that so you get the process of doing this let's go ahead and see what that would do for us let me run our get cap and i will redirect 2 to devnull or standard error to that and it looks like there is a home kibba dot hackmeplease python3 and that has a set uid capability okay so that's going to be big for us because if it has set uid we could potentially use that to set the user id or uid to zero and become root so what i would do is i would take that program that has that capability i would import os because it's python it's literally python 3. if i were to try and run it just to kind of verify and we don't need to do it with taxi as an argument if you don't want to we'll just literally import os os dot set uid i think get uid is a thing too so you can see the transition here yep currently i'm running as the user but if i set uid to zero now running get uid one more time now i'm zero because i've just set that and this program has a capability to do that then i can go ahead and run bin bash and now i'm root that's that that's us winning and that's us rooting that box so let's hop over to root and grab that root.text easy peasy cool so sure a easy room a beginner like low difficulty room but i hope the cool stuff there and the neat conversation was exploring prototype pollution and doing remote code execution in cabana which you wouldn't think to have like a big vulnerability like this but i mean this was not too all that much long ago that that wasn't too far ago what am i trying to say that wasn't all that long ago october 30th almost into this year and prototype pollution is kind of neat and kind of cool so i want to learn a little bit more about it anyway i've talked for a long time and this has been much longer of a video than it needed to be but i hope you enjoyed it i hope you were sticking with me and thank you so much for watching if you did like this video please do press that like button please do maybe leave me a comment do some of that youtube algorithm things i'd be super duper grateful if you could subscribe thanks so much and that's it that's enough of me talking i'll see you guys in the next video thanks so much love you take care [Music] with [Music] you

Info

Channel: John Hammond

Views: 14,551

Rating: 4.9746838 out of 5

Keywords:

Id: hZmfcEILjeg

Channel Id: undefined

Length: 35min 5sec (2105 seconds)

Published: Sat Aug 29 2020