HackTheBox - Haystack

00:54 - Begin of Recon find Elastic Search on 9200 02:00 - Checking the exif data in the image, nothing interesting, but showing FF changes some metadata when downloading (foresnic tip) 03:55 - Navigating to port 9200 and seeing the Elastic Search JSON Response 04:48 - Searching Elastic Search Documentation to see how to make queries 06:00 - Using /_cat/indices to see the "tables" withing ES 07:37 - Using /quotes/_search to dump the Quotes indicy, then using jq to extract desired data 13:20 - Lets switch over to Python to extract this data so we can translate this into English 17:00 - Installing googletrans, so our script can translate this. Using python3 cli to test this out 20:10 - Adding googletrans to our script 21:10 - Running our script to translate everything and then using grep to "find the needle" 22:50 - SSH'ing to the box with the security user 24:00 - Running LinEnum, noticing kibana listening on 5601 28:15 - Creating a Local Port forward so we can access kibana from out box 29:50 - Checking Kibana's version to see there are known exploits for it 30:50 - Getting a reverse shell as the Kibana user 36:00 - Using find to see what files the kibana user can write to 37:10 - Going into the Logstash directory to see that it will execute code with a specific log message 38:45 - Explaining the logstash pipeline of how it gets data 39:33 - Getting a reverse shell as the LogStash user (root) 42:00 - Reverse shell returned, but we screwed up creating a file -- figuring out what we did wrong