$3K Bounty For Elastic-Search Takeover
Hello, Everyone.
It was the end of year 2019 in , Me and My friend were Hunting on A Target (called it REDACTED.COM) , this program is a cypto based company which has a bugbounty program.
After automating the recon for almost 3 days on our VPS using our personal automation tools which we have created, so after 3 days we went on to takea look at the logs and found a pretty interesting thing
There was a subdomain , lets say “test.redacted.com” , has a port running on 9200 which is a elastic search service .
ABOUT
The definition from google describes elastic search as: “ES is a document-oriented database designed to store, retrieve, and manage document-oriented or semi-structured data. When you use Elasticsearch, you store data in JSON document form. Then, you query them for retrieval.”
Unlike Mysql which stores its information in tables elastic search uses something called types. Each type can have several rows which are called documents. Documents are basically a json blob that hold your data as shown in the example below:
{“id”:1, “name”:”test”, “password”:”test@password”}
So now i have found the elastic search , it was time to visit the url
http://test.redacted.com:9200/
and i found this
{ "name" : "4yXXXXX", "cluster_name" : "docker-cluster", "cluster_uuid" : "ulM_pLwNQbWXXXXXXXX", "version" : { "number" : "6.x.x", "build_flavor" : "default", "build_type" : "tar", "build_hash" : "3bd3e59", "build_date" : "2019-03-06T15:16:26.86xxxxxx", "build_snapshot" : false, "lucene_version" : "7.6.x", "minimum_wire_compatibility_version" : "5.6.0", "minimum_index_compatibility_version" : "5.0.0" }, "tagline" : "You Know, for Search"}
#Note: i had to add the ‘X’ in some places for obvious reasons.
Once you know an endpoint has an exposed Elastic Search db try to find all the indexes(Databases) that are available. This can be done by hitting the “/_cat/indices?v” endpoint with a GET request.
http://tst.redacted.com:9200/_cat/indices?v
i m able to add my own indices along with their production indices.
To perform a full text search on the database you can use the following command “/_all/_search?q=email”. This will query every index for the word “email”. There are a few words that I like to search for which include:
username, user, email,password,token,secrete,key
If you want to query a specific index you can replace the “_all” with the name of the index you want to search against.
http://test.redacted.com:9200/_all/_search?q=email
Now at the end you can simply dump the data using curl or use
to do so.
Install —
sudo npm install elasticdump -g #install globally
command to dump the elastic db using elasticdump —
elasticdump — input=http://ip:9200/filename — output=filename.json — type=data
https://medium.com/bugbountywriteup/haystack-hackthebox-writeup-7dfd8a6fed5
With that said , we got the 3K$ btc on the 1st jan 2020 early morning.
If You have queries, just DM me or @Subhajit Saha