HackTheBox - Haystack

Name: HackTheBox - Haystack
Uploaded: 2019-11-02T14:59:42Z
Channel: IppSec
Description: 00:54 - Begin of Recon find Elastic Search on 9200 02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadat...

IppSec · Intermediate ·📰 AI News & Updates ·6y ago

00:54 - Begin of Recon find Elastic Search on 9200 02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip) 03:55 - Navigating to port 9200 and seeing the Elastic Search JSON Response 04:48 - Searching Elastic Search Documentation to see how to make queries 06:00 - Using /_cat/indices to see the "tables" withing ES 07:37 - Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data 13:20 - Lets switch over to Python to extract this data so we can translate this into English 17:00 - Installi…

Watch on YouTube ↗ (saves to browser)

Chapters (20)

0:54 Begin of Recon find Elastic Search on 9200

2:00 Checking the exif data in the image, nothing interesting, but showing FF chang

3:55 Navigating to port 9200 and seeing the Elastic Search JSON Response

4:48 Searching Elastic Search Documentation to see how to make queries

6:00 Using /_cat/indices to see the "tables" withing ES

7:37 Using /quotes/_search to dump the Quotes indicy, then using jq to extract desi

13:20 Lets switch over to Python to extract this data so we can translate this into

17:00 Installing googletrans, so our script can translate this. Using python3 cli t

20:10 Adding googletrans to our script

21:10 Running our script to translate everything and then using grep to "find the ne

22:50 SSH'ing to the box with the security user

24:00 Running LinEnum, noticing kibana listening on 5601

28:15 Creating a Local Port forward so we can access kibana from out box

29:50 Checking Kibana's version to see there are known exploits for it

30:50 Getting a reverse shell as the Kibana user

36:00 Using find to see what files the kibana user can write to

37:10 Going into the Logstash directory to see that it will execute code with a spec

38:45 Explaining the logstash pipeline of how it gets data

39:33 Getting a reverse shell as the LogStash user (root)

42:00 Reverse shell returned, but we screwed up creating a file -- figuring out what

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →

HackTheBox - Haystack

Chapters (20)

Playlist

Lesson complete!