$3K Bounty For Elastic-Search Takeover

Hello, Everyone.

It was the end of year 2019 in , Me and My friend were Hunting on A Target (called it REDACTED.COM) , this program is a cypto based company which has a bugbounty program.

After automating the recon for almost 3 days on our VPS using our personal automation tools which we have created, so after 3 days we went on to takea look at the logs and found a pretty interesting thing

There was a subdomain , lets say “test.redacted.com” , has a port running on 9200 which is a elastic search service .

ABOUT

The definition from google describes elastic search as: “ES is a document-oriented database designed to store, retrieve, and manage document-oriented or semi-structured data. When you use Elasticsearch, you store data in JSON document form. Then, you query them for retrieval.”

Unlike Mysql which stores its information in tables elastic search uses something called types. Each type can have several rows which are called documents. Documents are basically a json blob that hold your data as shown in the example below:

{“id”:1, “name”:”test”, “password”:”test@password”}

So now i have found the elastic search , it was time to visit the url

http://test.redacted.com:9200/

and i found this

{  "name" : "4yXXXXX",  "cluster_name" : "docker-cluster",  "cluster_uuid" : "ulM_pLwNQbWXXXXXXXX",  "version" : {    "number" : "6.x.x",    "build_flavor" : "default",    "build_type" : "tar",    "build_hash" : "3bd3e59",    "build_date" : "2019-03-06T15:16:26.86xxxxxx",    "build_snapshot" : false,    "lucene_version" : "7.6.x",    "minimum_wire_compatibility_version" : "5.6.0",    "minimum_index_compatibility_version" : "5.0.0"  },  "tagline" : "You Know, for Search"}

#Note: i had to add the ‘X’ in some places for obvious reasons.

Once you know an endpoint has an exposed Elastic Search db try to find all the indexes(Databases) that are available. This can be done by hitting the “/_cat/indices?v” endpoint with a GET request.

http://tst.redacted.com:9200/_cat/indices?v

i m able to add my own indices along with their production indices.

To perform a full text search on the database you can use the following command “/_all/_search?q=email”. This will query every index for the word “email”. There are a few words that I like to search for which include:

username, user, email,password,token,secrete,key

If you want to query a specific index you can replace the “_all” with the name of the index you want to search against.

/_all/_search?q=email

http://test.redacted.com:9200/_all/_search?q=email

Now at the end you can simply dump the data using curl or use

to do so.

you an find more info on here to use the elasticdump tool.

https://medium.com/bugbountywriteup/haystack-hackthebox-writeup-7dfd8a6fed5

With that said , we got the 3K$ btc on the 1st jan 2020 early morning.

If You have queries, just DM me or @Subhajit Saha

i m a security researcher and exploit developer/ and love Fuzzing and break things |bug hunter|

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store