HackTheBox Writeup — Haystack

Hello Guys , I am Faisal Husaini. My username on HTB is “faisalelino” .

The IP of this box is

nmap -sC -sV -oN nmap -Pn

We just see an image of haystack and a needle, nothing else ! Checking the source code we see

Nothing interesting , just the image file , let’s try to fetch the image

Doing a file and binwalk command on the image file we see

It says a JPEF image data as well as TIFF image data , let’s run the strings command on it

We see a base64 encoded strings , let’s try to decode it

We get a message in Spanish , since I was born and raise in Spain , I know Spanish and this sentence means “The needle in the Haystack is ‘key

Now we saw in the NMAP Results that Port 9200 is open , let’s try to access it

We see that it is running elasticsearch , and from google , we learned that we can dump the data of elasticsearch using ElasticDump tool , which you have to install manually on your box.

So , we dump the data of elasticsearch using the command

elasticdump — input= — output=data.json — type=data

So we dumped the data into a file named data.json

Let’s see what we got interesting into it

Till now details of different employees etc. Scrolling down more

We see something in quotes and all of those are in Spanish language , and there were loads and loads of quotes here , although I know spanish , still reading all these would take forever to me.

As we remember from the strings we got from the haystack picture , which told that the needle in the haystack is the “key” in spanish which was “clave” , since this is a total CTF like machine , haystack meant all these spanish quotes and needle was the “key” , i.e , “clave

We try to grep the quotes with the word “clave

We see two quotes , the first one translates to

This key cannot be lost, I save it here: cGFzczogc3BhbmlzaC5pcy5rZXk=

And the second quote translates to

I have to save the key for the machine: dXNlcjogc2VjdXJpdHkg

Both of them looks like a base64 encoded string , so we try to decode both of them one by one

So both of the string decodes to a username and password , let’s try to SSH using these credentials

We got in as security user through SSH

The user flag was located in the same directory in which we were spawned

Now we move on the Priv Esc part

Check the services running on the box , we see

We see Kibana running which is related to ElasticSearch and also we didnt encountered this during our NMAP Scan

Kibana usually runs on port 5601 , if you do a google search , you will get to know that easily

Searching on Google for CVEs related to Kibana , we got something interesting

I will post the link for a detailed analysis for this at the end of this writeup , let’s try to exploit this Code Execution File Inclusion

So , we can upload our js reverse shell on the box and then call it through the Kibana api as shown below and then also put up our netcat listener


So we get ready with our curl request

Our shell looks like this

And then we put our netcat listener on

As soon as we hit our request , we get back a reverse shell

We got the reverse shell as Kibana , to confirm we use the id command

But this shell was not stable , so we went on to get a stable shell running from Linux box and we used the bash reverse shell one liner from PentestMonkey and set up another listener

And then we get our a more stable shell

Running one of the Linux Enumeration script , we get something interesting

We see /etc/logstash/conf.d is writable and when we check the permissions of that folder , we see

We see that Root and Kibana has permission for it , looking further into the folder , we get

We see three files named “filter.conf” , “input.conf” , “output.conf” , checking the contents of each files , we see

We see that input file has something which says it will execute anything in the folder /opt/kibana under the filename logstash_* in the interval of 10 seconds

The output file tells us that it will execute the command which we will provide

The filter file shows us the way of putting our command , so we are set ready for our 3rd and final reverse shell

Here , we echo our command as suggested in the filter file and put it under /opt/kibana/logstash_lul and then we put our netcat listener on and wait for few seconds and see

We got reverse shell and this time root as confirmed above , let’s get the root flag which is located usually under /root/root.txt

This was really a hard box , dont know how it was labeled as Easy and had only 20 points , should have been on Medium level

Resources Used To Solve This Box

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover