Target Experience:

· Enumeration: CTF-like /Life-like

· Vulnerabilities: CTF-like/Life-like

· Exploitation: CTF-like/Life-like

· Difficulty: Medium

· Community Notes: CTF-like

Tools:

· Nmap

· Gobuster

· Curl

· NetCat

· linPE

Vulnerabilities:

· Local File Inclusion (LFI)

· Misconfiguration

· Local Privilege Escalation (2x)

Information Gathering:

Nmap Scan

After identifying ports 80 and 9200 as HTTP, I performed a Gobuster scan on both ports.

Gobuster Scan

Web Enumeration:

TCP Port 80 revealed an image and no other information useful information.

TCP Port 80
TCP Port 9200

Foothold:

Curl

Still not finding anything interesting, I decided to use Curl to download the needle.jpg file for further investigation.

Curl Download

Not having any luck with identifying Steganography, I used Strings and revealed a Base64 encoded line at the end of the image file.

Strings: Base64

Next, I launched the Base64 application to decode the message and found the cleartext being in Spanish. Since my Spanish was not that strong, I found a web site to translate the message.

the needle in the haystack is “key”

Not finding any other interesting information from TCP Port 80, I turned to reviewing TCP Port 9200; where I found that the ElasticSearch had a searching mechanism that I used to search the /quotes directory.

ElasticSearch: _search

Not finding much with the browser search, I manually discovered that there were multiple pages contained within the /quotes directory. I stumbled across one of the pages that provided a hint that a search would need to be performed.

I started to review the ElasticSearch web site and found a manual for the product. Using their examples, I used Curl to search for all contents within the /quote* directory.

Curl Search: Quote

Next, I used the “key word” found, from the image obtained from TCP Port 80, to search the /quotes directory; where I found additional Base64 encoded lines.

Curl Search: clave
Curl Search: Base64

Using the previously found Spanish translator, as well as, the Base64 application, I was able to determine that I obtained credentials to the target.

Credentials

With the credentials obtained, I decided to try them against the SSH port discovered earlier with Nmap.

SSH Connectivity

Awesome. Having established a foothold to the target, I then obtained the User Flag.

User Flag

Local File Inclusion (LFI):

linPE: Services

Next, I returned to the attacker system to perform another Curl against the target to help me enumerate.

Curl

Remembering that I had discovered what appeared to be a version number, I returned to the web browser using the ElasticSearch _search function for the entire target.

ElasticSearch: Kibana version

Having pretty firm evidence that there was a Kibana backend server, I reviewed the ElasticSearch documentation for clues on where I could find configuration files.

/etc/kibana/kibana.yml

Not having much luck with the loopback connection to TCP Port 5601, I performed an Internet search and found a few CVE’s that I could possibly use to exploit the application.

I eventually found a GitHub site that had a POC for CVE-2018–17246. After reviewing the information, I copied the code for the Java Shell for use on the target.

Java Shell

With the shell code copied to the target’s /tmp directory, and a NetCat listen launched on my attacker system, I used Curl to launch the LFI attack.

LFI Attack
Reverse Shell

Privilege Escalation:

Permissions

Continuing to enumerate the conf.d directory, I found three configuration files that looked interesting. So, I returned to the ElasticSearch manual to review what the configuration files were used for.

Logstash Filters

After identifying that the configuration files we used for filtering, I reviewed each of the files based on the ordered used by Logstash.

Logstach: Filters

This took me a bit, but the input configuration file looked at the /opt/kibana directory for a logstash_* file with a wildcard. The filter then launched any wildcard file on an interval of 10 seconds.

The grok filter configuration file used regex when identifying the key word of “Ejecutar comando : <command>“ to be utilized within the logstash_ file to search and launch.

The last configuration file, of output, executed the command found within the filter.

So, tying it all together, I created an executable file of logstach_123 to launch a reverse Bash shell to my attacker system with a NetCat listener.

Logstash File
Connected Shell

After identifying that I had root, I located the Root Flag.

Root Flag

References:

https://www.elastic.co/guide/en/elasticsearch/reference/6.6/query-dsl-match-query.html

https://github.com/carlospolop/linPE/tree/master

https://github.com/mpgn/CVE-2018-17246

https://www.elastic.co/guide/en/logstash/current/pipeline.html

Disclaimer:

Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.

Information within this article is “as is”, without warranty of any sort.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store