Jump to content
err0r926

9200 - Pentesting Elasticsearch

Recommended Posts

Posted (edited)

Basic information

From the main page you can find some useful descriptions:

Elasticsearch is a distributed, open source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is built on Apache Lucene and was first released in 2010 by Elasticsearch N.V. (now known as Elastic). Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization. Commonly referred to as the ELK Stack (after Elasticsearch, Logstash, and Kibana), the Elastic Stack now includes a rich collection of lightweight shipping agents known as Beats for sending data to Elasticsearch.

 

Edited by err0r926
Posted

What is an Elasticsearch index?

 

An Elasticsearch index is a collection of documents that are related to each other. Elasticsearch stores data as JSON documents. Each document correlates a set of keys (names of fields or properties) with their corresponding values (strings, numbers, Booleans, dates, arrays of values, geolocations, or other types of data).
Elasticsearch uses a data structure called an inverted index, which is designed to allow very fast full-text searches. An inverted index lists every unique word that appears in any document and identifies all of the documents each word occurs in.
During the indexing process, Elasticsearch stores documents and builds an inverted index to make the document data searchable in near real-time. Indexing is initiated with the index API, through which you can add or update a JSON document in a specific index.
Default port: 9200/tcp
 
Posted (edited)

Manual Enumeration

Banner

 

The protocol used to access Elasticsearch is HTTP. When you access it via HTTP you will find some interesting information: http://10.10.10.115:9200/

assets%2F-L_2uGJGU7AVNRcqRvEi%2F-M7D_WUUr1ZqNcI_JrIk%2F-M7DpejhPkp7XKTpnJON%2Fimage.png?alt=media&token=f0e8162f-2f60-4feb-91b4-4504ab7aae6d

If you don't see that response accessing / see the following section.

 

 

Edited by err0r926
Posted

Authentication

 

By default Elasticsearch doesn't have authentication enabled, so by default you can access everything inside the database without using any credentials.
You can verify that authentication is disabled with a request to:
curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
{"error":{"root_cause":[{"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."}],"type":"exception","reason":"Security must be explicitly enabled when using a [basic] license. Enable security by setting [xpack.security.enabled] to [true] in the elasticsearch.yml file and restart the node."},"status":500}

However, if you send a request to / and receives a response like the following one:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}

That will means that authentication is configured an you need valid credentials to obtain any info from elasticserach. Then, you can try to bruteforce it (it uses HTTP basic auth, so anything that BF HTTP basic auth can be used). Here you have a list default usernames: elastic (superuser), remote_monitoring_user, beats_system, logstash_system, kibana, kibana_system, apm_system, _anonymous_._ Older versions of Elasticsearch have the default password changeme for this user

curl -X GET http://user:password@IP:9200/

 

Posted

Basic User Enumeration

 

#List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"

#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"

#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
Posted (edited)

Indices

You can gather all the indices accessing http://10.10.10.115:9200/_cat/indices?v

health status index   uuid                   pri rep docs.count docs.deleted store.size pri.store.size
green  open   .kibana 6tjAYZrgQ5CwwR0g6VOoRg   1   0          1            0        4kb            4kb
yellow open   quotes  ZG2D1IqkQNiNZmi2HRImnQ   5   1        253            0    262.7kb        262.7kb
yellow open   bank    eSVpNfCfREyYoVigNWcrMw   5   1       1000            0    483.2kb        483.2kb

To obtain information about which kind of data is saved inside an index you can access:   http://host:9200/<index>   from example in this case  http://10.10.10.115:9200/bank

assets%2F-L_2uGJGU7AVNRcqRvEi%2F-M7D_WUUr1ZqNcI_JrIk%2F-M7Dr6nFv-3z2RdIVB95%2Fimage.png?alt=media&token=2d6c2196-9b05-4877-ae8e-08617547ec27

Edited by err0r926
Posted

Dump index

If you want to dump all the contents of an index you can access: http://host:9200/<index>/_search?pretty=true like http://10.10.10.115:9200/bank/_search?pretty=true

assets%2F-L_2uGJGU7AVNRcqRvEi%2F-M7D_WUUr1ZqNcI_JrIk%2F-M7DtBbKhV9vrzbJCoYN%2Fimage.png?alt=media&token=e8816136-e10e-4c6a-8b71-32a250424a84

Take a moment to compare the contents of the each document (entry) inside the bank index and the fields of this index that we saw in the previous section.
So, at this point you may notice that there is a field called "total" inside "hits" that indicates that 1000 documents were found inside this index but only 10 were retried. This is because by default there is a limit of 10 documents. But, now that you know that this index contains 1000 documents, you can dump all of them indicating the number of entries you want to dump in the size parameter: http://10.10.10.115:9200/quotes/_search?pretty=true&size=1000asd Note: If you indicate bigger number all the entries will be dumped anyway, for example you could indicate size=9999 and it will be weird if there were more entries (but you should check).
Posted (edited)

Dump all

In order to dump all you can just go to the same path as before but without indicating any index http://host:9200/_search?pretty=true like http://10.10.10.115:9200/_search?pretty=true Remember that in this case the default limit of 10 results will be applied. You can use the size parameter to dump a bigger amount of results. Read the previous section for more information.192020

 

Edited by err0r926
Posted (edited)

Write permissions

You can check your write permissions trying to create a new document inside a new index running something like the following:

curl -X POST '10.10.10.115:9200/bookindex/books' -H 'Content-Type: application/json' -d'
 {
    "bookId" : "A00-3",
    "author" : "Sankaran",
    "publisher" : "Mcgrahill",
    "name" : "how to get a job"
 }'

That cmd will create a new index called bookindex with a document of type books that has the attributes "bookId", "author", "publisher" and "name"

 

Edited by err0r926

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...