Hack The Box – Haystack Box Writeup By Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Haystack which was a Linux machine that retired very recently. I really don’t understand how it was placed in the easy category. The whole box was set up as an ELK box(Elasticsearch, Logstash, Kibana). Let’s have a basic understanding of these three first.

The ELK Stack is an acronym for three open source projects: Elasticsearch, Logstash, and Kibana. Together, they form a log management platform.

Elasticsearch is a search and analytics engine.

Logstash is a server‑side data processing pipeline that ingests data from multiple sources simultaneously, transforms it, and then sends it to a “stash” like Elasticsearch.

Kibana lets users visualize data with charts and graphs in Elasticsearch.

So without further ado let’s begin…

 

 

Recon

We’ll start with our recon by doing an Nmap scan.

nmap -sC -sV -p- 10.10.10.115

 

As we can see that port 80 is open so let’s check that first in our browser.

Nothing interesting, so let’s download the image and run strings over it.

We’ll be getting a base64 text. On decoding it we’ll get the following text: la aguja en el pajar es “clave” which is in Spanish.

 

Simply translating it we’ll receive the following text: the needle in the haystack is “key”

 

So moving forward let’s browse the port 9200 in our browser which is basically the HTTP interface port for Elasticsearch.

Exploitation

Next, let’s see if we are able to read data from elasticsearch. Move over to your Metasploit and use the following module: auxiliary/scanner/elasticsearch/indices_enum which will be helpful in enumerating indices.

 

Now let’s try to query each index one by one. For doing this I found this link very informative. The index quotes seem pretty interesting which gives us a bunch of Spanish texts which is really not easy to look at.

 

There are tons of translators available online. Put this file in any such translator to convert it to English.

After translating we’ll find  two important base64 texts:

 

On decoding these:

 

Finally, we got something that looks like a username and password… Let’s try these creds for connecting over ssh.

 

And we got our user flag…

Privilege Escalation

Now let’s start hunting for our root flag. We can start by monitoring the system by typing in ps aux or can also use an amazing tool/script named pspy.

 

So looks like Kibana is running but as a user kibana. On searching for kibana exploits on google you’ll come across this link which is assigned as CVE-2018-17246 which basically exploits an LFI vulnerability and will execute our reverse shell which will eventually give us access as the kibana user. So first things first, let’s create a javascript reverse shell in any writable directory

 

Next is to open up our Netcat connection for listening. Once our Netcat is up, try exploiting the LFI vulnerability by including our reverse shell by using curl.

 

And we got our shell as kibana user.

Let’s try searching for all the writable files.

 

Let’s move into /etc/logstash/conf.d and we will find three conf files namely input.conf, filter.conf, output.conf.

To understand what these three files do, a bit of googling is required.

 

So after a bit of research, what input.conf really does is basically it takes all the files inside the directory /opt/kibana/ starting with the name “logstash_” and provides it to filter.conf every 10 seconds and filter.conf is used to filter data or parse the data if it is in a correct pattern. It is associated with GROK and checks if the data is in correct format. You can read more about GROK from this blog. Once it is in correct format it will give the data to output.conf which will simply exceute it.

So if we make a reverse shell according to the filter.conf format and place it in /opt/kibana/ directory and name it as logstash_69 and wait for a few seconds then we should be getting our reverse shell.

Now first let’s create a reverse shell according to the GROK pattern/syntax specified inside filter.conf and check that if it is able to produce structured data or not. We can use GROK debugger for this… You can find the link here

 

Looks like it is able to produce a structured data. Now let’s place our reverse_shell inside /opt/kibana/ and name it as logstash_69 and give it executable permission.

 

All we have to do now is set up a Netcat listener and after a few seconds, we should be getting our root shell.

 

Thus we got our root flag and the challenge was successfully completed.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Writeup Box Walkthrough. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *