Try   HackMD

elasticsearch7.0 Cluster Setup and x-pack crack

tags: elasticsearch

Refrence

surroundings

Centos7
Elasticsearch-7.0.1
Kibana-7.0.1

Build source of elastic

Creating packages

To create a distribution without running the tests, simply run the following:

./gradlew assemble

To create a platform-specific build including the x-pack modules, use the following depending on your operating system:

./gradlew :distribution:archives:linux-tar:assemble
./gradlew :distribution:archives:darwin-tar:assemble
./gradlew :distribution:archives:windows-zip:assemble

Download, unzip es

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.0.1-linux-x86_64.tar.gz 解压elasticsearch.tar.gz  tar zxvf elasticsearch-7.0.1-linux-x86_64.tar.gz

Crack x-pack

  1. Download java decompiler
    There are many decompilation tools, Luyten is recommended, download address: https://github.com/deathmarine/Luyten/releases Download the corresponding windows version to the local, and then install it.
  2. Extract elasticsearch-7.0.1-linux-x86_64.tar.gz and copy elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar file
    Go to the windows machine and use the decompiler tool to open it.
  3. Find org.elasticsearch.license.LicenseVerifier and open and copy the contents. Then create a new LicenseVerifier.java file on our server and paste the copied content into.
    There are two static methods in LicenseVerifier. This is the method to verify whether the authorization file is valid. We modify it to return true. And comment out the unnecessary code. Use / * * / to comment here.
    Here is the revised content:

























































































package org.elasticsearch.license;

import java.nio.*;
import org.elasticsearch.common.bytes.*;
import java.security.*;
import java.util.*;
import org.elasticsearch.common.xcontent.*;
import org.apache.lucene.util.*;
import org.elasticsearch.core.internal.io.*;
import java.io.*;

public class LicenseVerifier
{
    public static boolean verifyLicense(final License license, final byte[] publicKeyData) {
/*  #Add comment here
        byte[] signedContent = null;
        byte[] publicKeyFingerprint = null;
        try {
            final byte[] signatureBytes = Base64.getDecoder().decode(license.signature());
            final ByteBuffer byteBuffer = ByteBuffer.wrap(signatureBytes);
            final int version = byteBuffer.getInt();
            final int magicLen = byteBuffer.getInt();
            final byte[] magic = new byte[magicLen];
            byteBuffer.get(magic);
            final int hashLen = byteBuffer.getInt();
            publicKeyFingerprint = new byte[hashLen];
            byteBuffer.get(publicKeyFingerprint);
            final int signedContentLen = byteBuffer.getInt();
            signedContent = new byte[signedContentLen];
            byteBuffer.get(signedContent);
            final XContentBuilder contentBuilder = XContentFactory.contentBuilder(XContentType.JSON);
            license.toXContent(contentBuilder, (ToXContent.Params)new ToXContent.MapParams((Map)Collections.singletonMap("license_spec_view", "true")));
            final Signature rsa = Signature.getInstance("SHA512withRSA");
            rsa.initVerify(CryptUtils.readPublicKey(publicKeyData));
            final BytesRefIterator iterator = BytesReference.bytes(contentBuilder).iterator();
            BytesRef ref;
            while ((ref = iterator.next()) != null) {
                rsa.update(ref.bytes, ref.offset, ref.length);
            }
            return rsa.verify(signedContent);
        }
        catch (IOException ex) {}
        catch (NoSuchAlgorithmException ex2) {}
        catch (SignatureException ex3) {}
        catch (InvalidKeyException e) {
            throw new IllegalStateException(e);
        }
        finally {
            if (signedContent != null) {
                Arrays.fill(signedContent, (byte)0);
            }
        }
*/  ## Add comment here
        return true;    #Add here returns true
}
    
    public static boolean verifyLicense(final License license) {
/*   #Add comment here
        byte[] publicKeyBytes;
        try {
            final InputStream is = LicenseVerifier.class.getResourceAsStream("/public.key");
            try {
                final ByteArrayOutputStream out = new ByteArrayOutputStream();
                Streams.copy(is, (OutputStream)out);
                publicKeyBytes = out.toByteArray();
                if (is != null) {
                    is.close();
                }
            }
            catch (Throwable t) {
                if (is != null) {
                    try {
                        is.close();
                    }
                    catch (Throwable t2) {
                        t.addSuppressed(t2);
                    }
                }
                throw t;
            }
        }
        catch (IOException ex) {
            throw new IllegalStateException(ex);
        }
        return verifyLicense(license, publicKeyBytes);
    */ #Add comment here
        return true;  #Add here returns true
    }
}
  1. Find org.elasticsearch.xpack.core.XPackBuild open and copy the contents inside, and then create a XPackBuild.java files on our server, copy and paste the contents into it we will try in the final block of code in a static part XPackBuild delete all, here is a comment by the method of this chapter to verify that the jar package has been modified.
    the following is the modified content:












































































package org.elasticsearch.xpack.core;

import org.elasticsearch.common.io.*;
import java.net.*;
import org.elasticsearch.common.*;
import java.nio.file.*;
import java.io.*;
import java.util.jar.*;

public class XPackBuild
{
    public static final XPackBuild CURRENT;
    private String shortHash;
    private String date;
    
    @SuppressForbidden(reason = "looks up path of xpack.jar directly")
    static Path getElasticsearchCodebase() {
        final URL url = XPackBuild.class.getProtectionDomain().getCodeSource().getLocation();
        try {
            return PathUtils.get(url.toURI());
        }
        catch (URISyntaxException bogus) {
            throw new RuntimeException(bogus);
        }
    }
    
    XPackBuild(final String shortHash, final String date) {
        this.shortHash = shortHash;
        this.date = date;
    }
    
    public String shortHash() {
        return this.shortHash;
    }
    
    public String date() {
        return this.date;
    }
    
    static {
        final Path path = getElasticsearchCodebase();
        String shortHash = null;
        String date = null;
        Label_0109: {
/*  #Add comment here
            if (path.toString().endsWith(".jar")) {
                try {
                    final JarInputStream jar = new JarInputStream(Files.newInputStream(path, new OpenOption[0]));
                    try {
                        final Manifest manifest = jar.getManifest();
                        shortHash = manifest.getMainAttributes().getValue("Change");
                        date = manifest.getMainAttributes().getValue("Build-Date");
                        jar.close();
                    }
                    catch (Throwable t) {
                        try {
                            jar.close();
                        }
                        catch (Throwable t2) {
                            t.addSuppressed(t2);
                        }
                        throw t;
                    }
                    break Label_0109;
                }
                catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
*/  #Add comment here
            shortHash = "Unknown";
            date = "Unknown";
        }
        CURRENT = new XPackBuild(shortHash, date);
    }
}
  1. Use javac to compile the LicenseVerifier.java and XPackBuild.java files just created into class files, here you need to pay attention to your own directory structure


javac -cp "/data/soft/elasticsearch-7.0.1/lib/elasticsearch-7.0.1.jar:/data/soft/elasticsearch-7.0.1/lib/lucene-core-8.0.0.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/netty-common-4.1.32.Final.jar:/data/soft/elasticsearch-7.0.1/lib/elasticsearch-core-7.0.1.jar" ./LicenseVerifier.java
javac -cp "/data/soft/elasticsearch-7.0.1/lib/elasticsearch-7.0.1.jar:/data/soft/elasticsearch-7.0.1/lib/lucene-core-8.0.0.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/x-pack-core-7.0.1.jar:/data/soft/elasticsearch-7.0.1/modules/x-pack-core/netty-common-4.1.32.Final.jar:/data/soft/elasticsearch-7.0.1/lib/elasticsearch-core-7.0.1.jar" ./XPackBuild.java

After execution, two class files will be generated in the current directory.



LicenseVerifier.class
XPackBuild.class
  1. Copy x-pack-core-7.0.1.jar to an empty directory and decompress x-pack-core-7.0.1.jar
    $ jar -xvf x-pack-core-7.0.1.jar
    Then replace the class file


cp -a ../XPackBuild.class  org/elasticsearch/xpack/core/
cp -a ../LicenseVerifier.class org/elasticsearch/license/
  1. Pack the new x-pack-core-7.0.1.jar file
    Go to the directory where you just unpacked x-pack-core-7.0.1.jar and delete the x-pack-core-7.0.1.jar source file, then repack:
jar cvf x-pack-core-7.0.1.jar.
  1. Replace the newly generated x-pack-core-7.0.1.jar file into es
cp -a x-pack-core-7.0.1.jar /data/soft/elasticsearch-7.0.1/modules/x-pack-core/

  1. Configure the elasticsearch security protocol
    Complete all the above operations. Before starting elasticsearch, we need to configure the SSL/TLS security protocol of elasticsearch. If it is not configured, we need to disable security to configure the license.
    After the license is configured, we need to enable security and enable SSL\TLS.

    Load License before elasticsearch

    

    ​​​​$ echo "xpack.security.enabled: false" >> /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml
​​​​$ ./bin/elasticsearch -d # Start elasticsearch in the background

  2. Apply for a license
    Log in to the elastic official website to apply for a license, [License application address] (https://license.elastic.co/registration). After the application is completed, the downloaded license format is json format. Modify the type, expiry_date_in_millis, and max_nodes of the license to platinum, 2524579200999, and 1000, respectively. as follows:
    There is no 7 option, it is also possible to downloa 6. The time conversion is milliseconds.
    The contents of the license are as follows:

    












    ​​​​{
​​​​    "license": {
​​​​        "uid": "10bdea8f-f3fc-421d-9354-b47315d5ba47",
​​​​        "type": "platinum",
​​​​        "issue_date_in_millis": 1565481600000,
​​​​        "expiry_date_in_millis": 2524579200999,
​​​​        "max_nodes": 1000,
​​​​        "issued_to": "wang xiao (???????)",
​​​​        "issuer": "Web Form",
​​​​        "Signature": "AAAAAwAAAA1nyWcAXdBAA2klkzrZAAABmC9ZN0hjZDBGYnVyRXpCOW5Bb3FjZDAxOWpSbTVoMVZwUzRxVk1PSmkxaktJRVl5MUYvUWh3bHZVUTllbXNPbzBUemtnbWpBbmlWRmRZb25KNFlBR2x0TXc2K2p1Y1VtMG1UQU9TRGZVSGRwaEJGUjE3bXd3LzRqZ05iLzRteWFNekdxRGpIYlFwYkJiNUs0U1hTVlJKNVlXekMrSlVUdFIvV0FNeWdOYnlESDc3MWhlY3hSQmdKSjJ2ZTcvYlBFOHhPQlV3ZHdDQ0tHcG5uOElCaDJ4K1hob29xSG85N0kvTWV3THhlQk9NL01VMFRjNDZpZEVXeUtUMXIyMlIveFpJUkk2WUdveEZaME9XWitGUi9WNTZVQW1FMG1DenhZU0ZmeXlZakVEMjZFT2NvOWxpZGlqVmlHNC8rWVVUYzMwRGVySHpIdURzKzFiRDl4TmM1TUp2VTBOUlJZUlAyV0ZVL2kvVk10L0NsbXNFYVZwT3NSU082dFNNa2prQ0ZsclZ4NTltbU1CVE5lR09Bck93V2J1Y3c9PQAAAQAGLq3NLsOn2u1mkOfdXR6oyixJl8 / kZu / godGNtR1F6fvutn4mMKdvPPB4n8pQxa4kAFJn731D5I5kUwNqxmuTsGlvf + V8G4bj1O3nyMK7p3vxy0TzO0vEb + WskvGoJr8axPOPU7h8xh4POTYJVplaABtjqaR + 1SGS5ki422xIhXCNah99YuY8fct83M0U1iEJaSST26Ew3PCQ6n5yKrht8zk + yBIG32hgOhbhzgPOa4cVy1rQr7Z7ZxJIY8OyN6sfqItt8dzB2m + G8Eu / xP6Z9nmpG6y + Ty9BpJhre7TExrgObTju313IcFo1ZAkY70UscLamYbpRDJuS2EY7Qmow",
​​​​        "start_date_in_millis": 1565481600000
​​​​    }
​​​​}

    We will write the expiration date to 2050 and change the type to platinum, so that we will have all the x-pack features.

  3. Load License into elasticsearch




$ curl -XPUT -u elastic 'http://10.0.0.4:9200/_xpack/license' -H "Content-Type: application/json" -d @license.json
Enter host password for user 'elastic': # Prompt for elastic user password, there is no password currently, so press enter directly
{"acknowledged": true, "license_status": "valid"} # License was written successfully
  1. Modify the configuration and restart es



echo "xpack.security.transport.ssl.enabled: true" >> /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml
sed -i 's/xpack.security.enabled: false/xpack.security.enabled: true/g' /data/soft/elasticsearch-7.0.1/config/elasticsearch.yml
kill -9 13023 && ./bin/elasticsearch -d # restart elasticsearch

The configuration at this time is as follows:







[root @ heaven-01 soft] # cat elasticsearch-7.0.1 / config / elasticsearch.yml

path.data: /data/soft/elasticsearch-7.0.1/data
path.logs: /data/soft/elasticsearch-7.0.1/logs
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

View License

















[root @ heaven-01 soft] # curl -XGET -u elastic http://10.0.0.4:9200/_license #Prompt for elastic user password, there is currently no password, so just press enter
{
  "license" : {
    "status" : "active",
    "uid" : "10bdea8f-f3fc-421d-9354-b47315d5ba47",
    "type" : "platinum",
    "issue_date" : "2019-08-11T00:00:00.000Z",
    "issue_date_in_millis" : 1565481600000,
    "expiry_date" : "2049-12-31T16:00:00.999Z",
    "expiry_date_in_millis" : 2524579200999,
    "max_nodes" : 100,
    "issued_to" : "wang xiao (???????)",
    "issuer" : "Web Form",
    "start_date_in_millis" : 1565481600000
  }
}

Cracked successfully

  1. Set password
    Run the following commands to set other accounts and passwords required to establish a connection:
bin/elasticsearch-setup-passwords interactive

es cluster deployment and kibana (es here to three nodes for example):

If we deploy es is the above configuration to a single node, if it is es cluster will also need the following operations:

  1. In the es cluster, if you use the x-pack security function, you must use TLS/SSL for secure transmission, so you need to configure an authentication file
bin/elasticsearch-certutil cert -out config/elastic-certificates.p12 -pass ""

At this time, the elastic-certificates.p12 file is generated in the config directory, and the file permissions are modified.

chown elk:elk config/elastic-certificates.p12

  1. Copy the cracked es-01 and name them es-02 and es-03 respectively, and then clear the data and logs directories in es-02 and es-03 (very important, especially the data directory, otherwise an error will be reported)

  2. Modify the es configuration
    The configuration of es-01 is as follows:
























[root@heaven-01 soft]# cat es-01/config/elasticsearch.yml  | grep -v "#"
cluster.name: es-cluster
node.name: node-master-01
node.master: true
node.data: true
path.data: /data/soft/es-01/data
path.logs: /data/soft/es-01/logs
network.host: 10.0.0.4
http.port: 9200
transport.tcp.compress: true
http.cors.enabled: true
http.cors.allow-origin: "*"

bootstrap.memory_lock: true
discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"]
cluster.initial_master_nodes: ["10.0.0.4:9300"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/soft/es-01/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/soft/es-01/config/elastic-certificates.p12

The configuration of es-02 is as follows:























[root@heaven-01 soft]# cat es-02/config/elasticsearch.yml  | grep -v "#"
cluster.name: es-cluster
node.name: node-data-01
node.master: false
node.data: true
path.data: /data/soft/es-02/data
path.logs: /data/soft/es-02/logs
network.host: 10.0.0.4
http.port: 9201
transport.tcp.compress: true
http.cors.enabled: true
http.cors.allow-origin: "*"

bootstrap.memory_lock: true
discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"]
cluster.initial_master_nodes: ["10.0.0.4:9300"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/soft/es-02/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/soft/es-02/config/elastic-certificates.p12

The configuration of es-03 is as follows:























[root@heaven-01 soft]# cat es-03/config/elasticsearch.yml  | grep -v "#"
cluster.name: es-cluster
node.name: node-data-02
node.master: false
node.data: true
path.data: /data/soft/es-03/data
path.logs: /data/soft/es-03/logs
network.host: 10.0.0.4
http.port: 9202
transport.tcp.compress: true
http.cors.enabled: true
http.cors.allow-origin: "*"

bootstrap.memory_lock: true
discovery.seed_hosts: ["10.0.0.4:9300","10.0.0.4:9301","10.0.0.4:9302"]
cluster.initial_master_nodes: ["10.0.0.4:9300"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /data/soft/es-03/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /data/soft/es-03/config/elastic-certificates.p12
  1. Start three es separately



sudo -u elk /data/soft/es-01/bin/elasticsearch -d
sudo -u elk /data/soft/es-02/bin/elasticsearch -d
sudo -u elk /data/soft/es-03/bin/elasticsearch -d
  1. Download configuration kibana


wget   https://artifacts.elastic.co/downloads/kibana/kibana-7.0.1-x86_64.rpm
rpm -ivh kibana-7.0.1-x86_64.rpm

Modify the configuration as follows:








cat /etc/kibana/kibana.yml
server.port: 5601
server.host: "10.0.0.4"
elasticsearch.hosts: ["http://10.0.0.4:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "123456"
xpack.security.encryptionKey: "something_at_least_32_characters"

Start kibana

/etc/init.d/kibana start
  1. Access (login using the set elastic user and password)
    http://10.0.0.4:5601
Last changed by 
Hassankarimi118
0
1
5555
Published on HackMD