Directory traversal vulnerability in Elasticsearch allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.
Flag format: CTF{sha256}
CTF{265b92ed0091f139fdcd438196426f205fed9b14bce765bafd8344b1d96183e5}
Exploit CVE-2015-5531 using the Metasploit Framework.
When we enter the given web address, the GET response is the following JSON:
{
"status" : 200,
"name" : "Black King",
"version" : {
"number" : "1.3.4",
"build_hash" : "a70f3ccb52200f8f2c87e9c370c6597448eb3e45",
"build_timestamp" : "2014-09-30T09:07:17Z",
"build_snapshot" : false,
"lucene_version" : "4.9"
},
"tagline" : "You Know, for Search"
}
First (even though it was not needed) I tried to upload a file to elastic to test if it’s possible to upload an exploit (and it looks like it was):
The actual vulnerability of Elastic search was this: https://www.exploit-db.com/exploits/38383. So I exploited it with the Metasploit Framework (https://github.com/pandujar/elasticpwn/blob/master/README-CVE-2015-5531.md).
The extraction of the “/etc/passwd” file is set by default. However, it also contained the flag:
