search

Haystack

#Linux #API #PortForwarding

Haystack is an easy-rated Linux machine from HackTheBoxarrow-up-right created by JoyDragon. In the current post, my IP is 10.10.14.16, and the target’s IP is 10.10.10.115

hashtag
Recon

Local Terminal
nmap -p- --open -sS --min-rate 5000 -vvv -n 10.10.10.115 -oN Ports
Completed SYN Stealth Scan at 10:42, 26.55s elapsed (65535 total ports)
Nmap scan report for 10.10.10.115
Host is up, received echo-reply ttl 62 (0.17s latency).
Scanned at 2023-07-20 10:42:14 -04 for 27s
Not shown: 65532 filtered ports
Reason: 65501 no-responses and 31 host-prohibiteds
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 62
80/tcp   open  http    syn-ack ttl 62
9200/tcp open  wap-wsp syn-ack ttl 62

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 27.13 seconds
           Raw packets sent: 131053 (5.766MB) | Rcvd: 35 (2.392KB)

So! We have two ports open with http, and after searching about "OpenSSH 7.4 (protocol 2.0) launchpad", we are against a Ubuntu Sid (98), and there is an exploit CVE 2016-10009, but this is not important here.

From whatweb output there is nothing relevant, let's explore the website.

hashtag
Exploitation

After searching about "elasticsearch API 6.4.2", instantly appears an "exploit"

LogoElasticSearch - Remote Code ExecutionExploit Databasechevron-right

Ok, the exploit is not working, but by analyzing the python exploit, we got the following result:

Nothing relevant yet

the exploit.py is searching at "hits/hits", if I try with fields/lupin it will return an error.

From the previous command, there is a lot of useless information, and the script is using ?pretty for _search?, maybe there are alternatives.

LogoElasticsearch API common options | Referencewww.elastic.cochevron-right

There is something like "Size" to increase the... well... size of the output.

DANGER! The previous commands return a lot of information... in spanish... maybe I should try to use grep with the word "clave" (Password)

hashtag
Reverse Shell [Security]

My goodness, there are two hashes in clearly base64, the command used to decrypt is

  1. This password cannot be missed, I save it here: cGFzczogc3BhbmlzaC5pcy5rZXk

    [ pass: spanish.is.key ]

  2. I must save the machine's password: dXNlcjogc2VjdXJpdHkg

    [ user: security ]

hashtag
Privileges Escalation [Security > Kibana]

Perfect, we have the first flag, now let's explore the whole machine.

At first glance, there is nothing suspicious

There is something at the port :5601...

Got it! It's a Kibana... and at Management you can obtain the specific version

If you search for "kibana 6.5.4 exploit" you will find the following:

Logohttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17246cve.mitre.orgchevron-right

It says that at /api/console/api_server endpoint there is an LFI, we can create a file to execute another reverse shell, this machine is not using PHP so I had to find a way to make a reverse shell with JS.

And done, we are in a Kibana

hashtag
Kibana > Root

Logstash running as root, let's explore the config file.

So, long story short, those files read a file, /opt/kibana/logstash_*, and if the content of the file follow the structure “Ejecutar\scomando\s:\s+%{GREEDYDATA:comando}", it will execute the command.

After a few seconds, your Local Terminal will be "Target Terminal [Root]

PreviousFriendzoneNextHelp

Last updated