ELK

Elasticsearch

Check status

curl

curl -X GET "ELASTICSEARCH-SERVER:9200/"

Check Auth enabled

curl

curl -X GET "ELASTICSEARCH-SERVER:9200/_xpack/security/user"

Users

• elastic:changeme

• kibana_system

• logstash_system

• beats_system

• apm_system

• remote_monitoring_user

Other endpoints

curl

/_cluster/health
/_cat/indices
/_cat/health

Interesting endpoints (BE CAREFUL)

Show endpoints

/_shutdown
/_cluster/nodes/_master/_shutdown
/_cluster/nodes/_shutdown
/_cluster/nodes/_all/_shutdown

---

With creds

Using the API key

curl

curl -H "Authorization: ApiKey <API-KEY>" ELASTICSEARCH-SERVER:9200/

Get more information about the rights of a user

curl

curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user/<USERNAME>"

List all users on the system

curl

curl -X GET "ELASTICSEARCH-SERVER:9200/_security/user"

List all roles on the system

curl

curl -X GET "ELASTICSEARCH-SERVER:9200/_security/role"

---

Internal config files

• Elasticsearch configuration: /etc/elasticsearch/elasticsearch.yml

• Kibana configuration: /etc/kibana/kibana.yml

• Logstash configuration: /etc/logstash/logstash.yml

• Filebeat configuration: /etc/filebeat/filebeat.yml

• Users file: /etc/elasticsearch/users_roles

---

Kibana

Basic

• Port: 5601

• Config file & users: /etc/kibana/kibana.yml

• Try also with user: kibana_system

Version < 6.6.0 = RCE (https://github.com/LandGrey/CVE-2019-7609/)

---

Logstash

Basic

• Pipelines config: /etc/logstash/pipelines.yml

• Check pipelines for this property: "config.reload.automatic: true"

If a file wildcard is specified, a sample pipeline that executes a command and writes to a file might look like:

logstash pipeline example

input {
  exec {
    command => "whoami"
    interval => 120
  }
}

output {
  file {
    path => "/tmp/output.log"
    codec => rubydebug
  }
}