TryhackmeHackthebox

9200 ) Elasticsearch

  • Tools

  1. https://github.com/misalabs/horuz

  2. msf > use auxiliary/scanner/elasticsearch/indices_enum

  3. Nmap NSE script

  • Basic Enumeration

# If status code is 403, there is no any authentication 
curl -X GET http://10.10.10.115:9200/_xpack/security/user

# Get basic info
curl -X GET http://10.10.10.115:9200/ | jq .

# List all roles 
curl -X GET http://10.10.10.115:9200/_security/role/

# List all users 
curl -X POST http://10.10.10.115:9200/_security/user

# List info for user ABC
curl -X POST http://10.10.10.115:9200/_security/user/ABC

# List endpoints info
curl -X GET http://10.10.10.115:9200/_cat

curl -X GET http://10.10.10.115:9200/_cluster/allocation/explain | jq .
curl -X GET http://10.10.10.115:9200/_cluster/settings | jq .
curl -X GET http://10.10.10.115:9200/_cluster/health | jq .
curl -X GET http://10.10.10.115:9200/_cluster/state | jq .
curl -X GET http://10.10.10.115:9200/_cluster/stats | jq .
curl -X GET http://10.10.10.115:9200/_cluster/pending_tasks | jq .
curl -X GET http://10.10.10.115:9200/_nodes | jq .
curl -X GET http://10.10.10.115:9200/_nodes/usage | jq .
curl -X GET http://10.10.10.115:9200/_nodes/stats | jq .
curl -X GET http://10.10.10.115:9200/_tasks | jq .
curl -X GET http://10.10.10.115:9200/_remote/info | jq .

curl -X GET http://10.10.10.115:9200/_security/user | jq .
curl -X GET http://10.10.10.115:9200/_security/privilege | jq .
curl -X GET http://10.10.10.115:9200/_security/role_mapping | jq .
curl -X GET http://10.10.10.115:9200/_security/role | jq .
curl -X GET http://10.10.10.115:9200/_security/api_key | jq .

# List all the indices 
curl -X GET http://10.10.10.115:9200/_cat/indices?v

# Dump saved data inside an index
curl -X GET http://10.10.10.115:9200/<index>
curl -X GET http://10.10.10.115:9200/bank | jq .
# Dump all infomation
curl -X GET http://10.10.10.115:9200/<index>/_search?pretty=true


# Write new index
curl -X POST '10.10.10.115:9200/h4rithd/books' -H 'Content-Type: application/json' -d'
 {
    "bookId" : "90A-3",
    "author" : "h4rithd",
    "publisher" : "h4rithd",
    "name" : "h4rithd was there!"
 }'

  • Default creds

elastic (superuser)  : changeme 
remote_monitoring_user
beats_system
logstash_system
kibana
kibana_system
apm_system
_anonymous
Previous6379 ) RedisNext11211 ) Memcached

Last updated