Haystack

Type your comment

PM for nuggets

Thanks @NieruHawic for the assistance on the last few steps!! Rooted!

I only got as far as doing you basic scans like every other box, I used my steg skills to get a message from the picture, but I don’t know where to go next. Could someone help me please? Feel free to shoot me a pm. Thank you!

I’m stuck with the root, any hints going from user to ki***a ???

Guys i need a nudge I dumped all the data from high port in the /b*** and /q***** but found nothing please nudge me :slight_smile:

Type your comment> @PwrZer0 said:

Guys i need a nudge I dumped all the data from high port in the /b*** and /q***** but found nothing please nudge me :slight_smile:

Look further in the bits of the image at 80.

Got root!

For anyone is stuck in L** (empty reply from server). Some hints:

1 - Use quotes ever (CURL “http://<NINJA_PAYLOAD>”);
2 - RENAME your .js file. Don’t use shell.js or shell_1.js, rename to xpto_1233.js or another strange unique name. Really, this is a save point!

Any nuggets, PM ME! I’ll appreciate helping!

Rooted. If you’ll have some trouble, PM me.

I‘m in the final step but it can not receive a shell form target. I changed the conf of l*****, but it didn’t work. So plz PM.

Can anybody help me in PM. I uploaded my shell, but I cannot trigger it, I tried ssh pivoting and curl from inside but still no luck

Is it normal that the k***** service is not running ? Then I checked the k**** logs : “Another instance of K***** may be running!”

Thanks

Finally ROOTED!! PM me if you meet problems.

Is it normal that the k***** service is not running ? Then I checked the k**** logs : “Another instance of K***** may be running!”

Forbidden access to the service from outside doesn’t mean that it’s not running.

dang need hint on user, dumped all from elastic, searched for key, cant puzzle it together, not great at this CTF thing :slight_smile:

Type your comment> @qmi said:

@andresitompul said:

How did you figure out the username if you don’t know the password? B/c it’s in the same data dump but a little above. Did you get a spoiler?

i did a python script to check each default username.
and one of may tested username its valid… thats it.
I see.

i dont know how to dump the database.

any clue ?
You may need to use an extension to ELK which enables you to view data using SQL queries. You will see tables, columns and finally data dump by the help of the good old cURL.

does the ssh port forwarding also work on this machine without password ?
No. You will need to have SSH user/password.

i already have the sec login ssh and got user.txt
but no idea for getting the root.

how ?

Type your comment> @rfalopes said:

Type your comment> @BT1483 said:

Type your comment> @rfalopes said:

Why wen i run the exploit from scrity to k**a*a, some times works, sometimes dont?

Yes, the exploit is a bit flaky, I think it has to do with other people using it at the same time. Keep trying, it DOES work as described.

@rfalopes said:
Hello, Im ki**na, any tip to get root?

Ponder why the ELK stack has that name, and which letters you have already used so far. Read a bit up on that third part of the trinity. Then figure out what it does on this box and do something quite similar to what you’ve done before.

Yes i know… Now i need do make a priv. esc. using the Lostah… And i find the CVE-2017-170 but i dont know how to use it :confused:

same me too… i dont know how to upload the exploit… the wget command is not there, tried curl as well to upload the exploit, but it doesnt work.

Type your comment> @andresitompul said:

same me too… i dont know how to upload the exploit… the wget command is not there, tried curl as well to upload the exploit, but it doesnt work.

You have already shell access to the machine, I assume? So no need to work from remote.

No nano or vi? No problem. There are other ways to get text into a file. After all, you can’t (sensibly) edit anything in /proc either, yet there are ways to change the content of the stuff in there. This of course just being an example, you don’t need to mess with the contents of /proc on this box!

Also, please try to correctly attribute your quotes, this one ain’t from me.

@andresitompul said:

i already have the sec login ssh and got user.txt
but no idea for getting the root.

how ?
It was hinted in this forum before: there is an LFI vulnerability in this version of Kibana. Try to search for it on the web, you can elevate from sec****y account privileges to kibana user account first, from there you can craft a reverse shell and from there work your way to root.

I was able to switch to k***** once. but the second, when I tried to understand how I did it, I couldn’t reach the corresponding port. :slight_smile: I wish I had continued my first attempt at root: D

*Edit: After post Finally rooted (:

I used dirbuster on the ip and found the /b*** directory but now what? Can someone please help me :((