From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

At port 9200, it uses Elasticsearch.

Local Picture

I list all indices.

Local Picture

And list all docs in quotes. There are indeed many quotes in Spanish.

Local Picture

I make a get_content.py to get those quotes and translate to English. From those quotes, I got the user security and password spanish.is.key.

Local Picture

Now, I can ssh to the server as security. From the socket information, there is 5601 port opened locally.

Local Picture

I forward the port to my computer, and it is running kibana 6.4.2.

Local Picture

There is a LFI for this version.

Local Picture

Local Picture

I create shell.js and trigger the vulnerability. I get a reverse shell as kibana.

Local Picture

Local Picture

I found some .conf files with user root and group kibana.

Local Picture

Basically what it does is for file path matches /opt/kibana/logstash_*, it will execute the command after Ejecutar comando : . There may be a cron job to do the check.

Local Picture

I create a reverse shell script matching this pattern, and get the shell as root.

Local Picture