本文详细记录了利用ElasticSearch的公开接口进行靶机渗透的过程,包括信息收集、漏洞利用和权限提升。通过搜索和解码数据,获取了用户和密码,最终利用CVE-2018-17246提权至kibana,并学习了ELK系统的知识。
获得靶机IP 10.10.10.115
nmap 扫一下
nmap -A IP
得到三个开放端口
Nmap scan report for bogon (10.10.10.115)
Host is up (0.28s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
| 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
|_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (text/html).
9200/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn't have a title (application/json; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: storage-misc|specialized|general purpose|WAP|webcam
Running (JUST GUESSING): HP embedded (89%), Crestron 2-Series (89%), Linux 3.X|2.6.X (88%), Asus embedded (86%), AXIS embedded (86%)
OS CPE: cpe:/h:hp:p2000_g3 cpe:/o:crestron:2_series cpe:/o:linux:linux_kernel:3.16 cpe:/h:asus:rt-n56u cpe:/o:linux:linux_kernel:3.4 cpe:/o:linux:linux_kernel:2.6.17 cpe:/h:axis:210a_network_camera cpe:/h:axis:211_network_camera
Aggressive OS guesses: HP P2000 G3 NAS device (89%), Crestron XPanel control system (89%), Linux 3.16 (88%), ASUS RT-N56U WAP (Linux 3.4) (86%), Linux 3.1 (86%), Linux 3.2 (86%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops
得到三个端口 80里面只有一个图片
9200 是一个接口 仔细查看了一下信息
{
"name" : "iQEYHgS",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "pjrX7V_gSFmJY-DxP4tCQg",
"version" : {
"number" : "6.4.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash
最低0.47元/天 解锁文章
842
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
