TryHackMe: Advent of Cyber [Day 24] Elf Stalk

Room: Advent of Cyber

Difficulty: Beginner

“McDatabaseAdmin has been trying out some new storage technology and came across the ELK stack (consisting of Elastic Search, Kibana and Log Stash).

The Christmas Monster found this insecurely configured instance and locked McDatabaseAdmin out of it. Can McSkidy help to retrieve the lost data?

While this task does not have supporting material, here is a general approach on how to go about this challenge:

  • Scan the machine to look for open ports(specific to services running as well)
  • As with any database enumeration, check if the database requires authentication. If not, enumerate the database to check the tables and records
  • For other open ports, identify misconfigurations or public exploits based on version numbers”

Question #1 Find the password in the database

The first thing I did was a couple of very thorough nmap scans:

So other than the usual ports, we have:

Port 5601 Kibana

Port 8000 SimpleHTTPServer that contains a Kibana log file:

Port 9200 Elasticsearch API calls

Port 9300 Elasticsearch Communication (SOURCE)

Hmm, so what is Elasticsearch and Kibana? From what I understand after all this Googling, it’s kind of like a search engine duo. One helps you search and the other helps you make sense of the data.

I found this page HERE which tells you how to traverse the database. I am now going to try and search for the password that we need:

Looks like it worked!

It does look pretty disheveled though, so I am going to try to find a way to make it more organized:

HERE we go:

You can read the answer to Question #1 in that output.

Question #2 Read the contents of the /root.txt file

We know we need to look for some type of exploit here. I did try to use SSH with that person’s credentials out of curiosity, but it did not work:

Let’s find out which version of Kibana we have and look for an exploit:

That GitHub page shows you a method for using an LFI exploit. If you just throw that path into the browser (with root.txt appended to the end), nothing will appear to happen:

BUT, if you head over to that Kibana log page we found earlier, there is now a bunch of output at the bottom. Specifically, an error message that displays the contents of the file.

This is the end of my Advent of Cyber challenges! I started these almost two months ago and have learned a lot. I’m excited to see if there will be another that I can do live this holiday season.

Happy Hacking! ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.