Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this machine were:

Vulnerabilities:

The following vulnerabilities were found:

Information Gathering:

Using Nmap, I performed a SYN scan on all TCP ports for service version detection as well as default safe scripts.

Image for post
Image for post
Nmap Scan
Image for post
Image for post
Gobuster Scan

Web Enumeration:

Reviewing the findings from Nmap and Gobuster, I decided to launch a browser to further investigate both HTTP ports.

Image for post
Image for post
TCP Port 80
Image for post
Image for post
TCP Port 9200

Foothold:

Reviewing the TCP Port 80 web site a little closer, I used Curl to determine if there was anything that might have been hidden on the port itself.

Image for post
Image for post
Curl
Image for post
Image for post
Curl Download
Image for post
Image for post
Strings: Base64
Image for post
Image for post
the needle in the haystack is “key”
Image for post
Image for post
ElasticSearch: _search
Image for post
Image for post
Curl Search: Quote
Image for post
Image for post
Curl Search: clave
Image for post
Image for post
Curl Search: Base64
Image for post
Image for post
Credentials
Image for post
Image for post
SSH Connectivity
Image for post
Image for post
User Flag

Local File Inclusion (LFI):

With the User Flag secured, I decided to enumerate the target locally with linPE. I came across more Spanish within the Services section.

Image for post
Image for post
linPE: Services
Image for post
Image for post
Curl
Image for post
Image for post
ElasticSearch: Kibana version
Image for post
Image for post
/etc/kibana/kibana.yml
Image for post
Image for post
Java Shell
Image for post
Image for post
LFI Attack
Image for post
Image for post
Reverse Shell

Privilege Escalation:

After the successful LFI exploit of Kibana, I still did not have root access. So, I performed additional enumeration with the newly acquired user account. I eventually found that the kibana user had Read/Write access to the /etc/logstach directory.

Image for post
Image for post
Permissions
Image for post
Image for post
Logstash Filters
Image for post
Image for post
Logstach: Filters
Image for post
Image for post
Logstash File
Image for post
Image for post
Connected Shell
Image for post
Image for post
Root Flag

References:

https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store