Sometimes while doing a pentest, we may also come across some of the services running on various port numbers. One such service is what we will cover in this recipe. Elasticsearch is a Java-based open source search enterprise engine. It can be used to search any kinds of documents in real time.
In 2015, an RCE exploit came for Elasticsearch, which allowed hackers to bypass the sandbox and execute remote commands. Let's see how it can be done.
The following steps demonstrate the exploitation of Elasticsearch:
- The default port is
9200
for Elasticsearch. We start the Metasploit console:
- We search for the Elasticsearch exploit using this command:
search elasticsearch
The following screenshot shows the output for the preceding command:
- We choose the exploit in this case:
use exploit/multi/elasticsearch/search_groovy_script
The following screenshot shows the output for the preceding command:
- We set RHOST using the
set RHOST x.x.x.x
command:
- We run the following...