HackTheBox - Haystack


00:54 - Begin of Recon find Elastic Search on 9200
02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip)
03:55 - Navigating to port 9200 and seeing the Elastic Search JSON Response
04:48 - Searching Elastic Search Documentation to see how to make queries
06:00 - Using /_cat/indices to see the "tables" withing ES
07:37 - Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data
13:20 - Lets switch over to Python to extract this data so we can translate this into English
17:00 - Installing googletrans, so our script can translate this. Using python3 cli to test this out
20:10 - Adding googletrans to our script
21:10 - Running our script to translate everything and then using grep to "find the needle"
22:50 - SSH'ing to the box with the security user
24:00 - Running LinEnum, noticing kibana listening on 5601
28:15 - Creating a Local Port forward so we can access kibana from out box
29:50 - Checking Kibana's version to see there are known exploits for it
30:50 - Getting a reverse shell as the Kibana user
36:00 - Using find to see what files the kibana user can write to
37:10 - Going into the Logstash directory to see that it will execute code with a specific log message
38:45 - Explaining the logstash pipeline of how it gets data
39:33 - Getting a reverse shell as the LogStash user (root)
42:00 - Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong

HackTheBox - Haystack HackTheBox - Haystack Reviewed by Unknown on November 02, 2019 Rating: 5