hackthebox haystach walkthrough

Starting with masscan

Three ports are open: ssh, web, api

web does not reveal anything else than a image.

hackthebox – haystack – needle

Using strings command to the image reveals base64 at the end.

Decoding the base64

The above decoded text seems to be spanish and translates to

the needle in the haystack is “key”

hackthebox – needle in the haystack is “key”

Moving to port 9200. This looks api where we can search for key. Trying following:

which gives following

Translating it with translate.google.com

Seems like we have something important, decoding base64

We got username and password for SSH.

We can now read user.txt flag

Playing around we find that the server was running kibana. I found it by checking the open port in the server. The netstat command was not there in the server, therefore, I had to find the way around.

Notice the port 5601.

There is a CVE for kibana. According to https://github.com/mpgn/CVE-2018-17246 it suffers LFI. Exploiting it

First of all, setup the js file

Save the file as dev.js in /dev/shm/ directory.

Then, listen for shell on port 4444.

Then in box execute following

You will get a shell

hackthebox – haystack – kibana

Upgrade the shell as defined here.

Again, we can explore more here as kibana user. Then we found an interesting place where we found logstash conf file. At location /etc/logstash/conf.d we found 3 files

The content are as following

If you are well known about logstash then it may be easy for you. If not then it is searching for an executable file inside /opt/kibana with name “logstash_whatever” and removing it every 10sec. The filter is used to filter the message if it matches a certain pattern. Then, at last, the comando is executed.

To execute our payload we need to match the pattern. This link will be helpful to match the pattern. Go to the site. In the lower box, enter the following…

Here,
\s* = SPACE
\s+ = NOSPACE
GREEDYDATA = everything

This is content of filter.conf which it is searching to match

…and in upper box try to match the pattern.

After you find the pattern lets create a file called “logstash_dev”

Paste the following

save the file and make it executable

Do not forget to listen for shell, wait for some time and you will get root

Leave a Reply

Your email address will not be published. Required fields are marked *