Logstash

​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
Basic Information
Logstash is used for collecting, transforming and outputting logs. This is realized by using pipelines, which contain input, filter and output modules. The service gets interesting when having compromised a machine which is running Logstash as a service.
Pipelines
The pipeline configuration file /etc/logstash/pipelines.yml specifies the locations of active pipelines:
# This file is where you define your pipelines. You can define multiple.
# For more information on multiple pipelines, see the documentation:
# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html
​
- pipeline.id: main
  path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: example
  path.config: "/usr/share/logstash/pipeline/1*.conf"
  pipeline.workers: 6
In here you can find the paths to the .conf files, which contain the configured pipelines. If the Elasticsearch output module is used, pipelines are likely to contain valid credentials for an Elasticsearch instance. Those credentials have often more privileges, since Logstash has to write data to Elasticsearch. If wildcards are used, Logstash tries to run all pipelines located in that folder matching the wildcard.
Privesc with writable pipelines
Before trying to elevate your own privileges you should check which user is running the logstash service, since this will be the user, you will be owning afterwards. Per default the logstash service runs with the privileges of the logstash user.
Check whether you have one of the required rights:
You have write permissions on a pipeline .conf file or
/etc/logstash/pipelines.yml contains a wildcard and you are allowed to write into the specified folder
Further one of the requirements must be met:
You are able to restart the logstash service or
/etc/logstash/logstash.yml contains the entry config.reload.automatic: true
If a wildcard is specified, try to create a file matching that wildcard. Following content can be written into the file to execute commands:
input {
  exec {
    command => "whoami"
    interval => 120
  }
}
​
output {
  file {
    path => "/tmp/output.log"
    codec => rubydebug
  }
}
The interval specifies the time in seconds. In this example the whoami command is executed every 120 seconds. The output of the command is saved into /tmp/output.log.
If /etc/logstash/logstash.yml contains the entry config.reload.automatic: true you only have to wait until the command gets executed, since Logstash will automatically recognize new pipeline configuration files or any changes in existing pipeline configurations. Otherwise trigger a restart of the logstash service.
If no wildcard is used, you can apply those changes to an existing pipeline configuration. Make sure you do not break things!
References
​https://insinuator.net/2021/01/pentesting-the-elk-stack/​
​☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥​
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
Discover The PEASS Family, our collection of exclusive NFTs​
Get the official PEASS & HackTricks swag​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦​@carlospolopm.
Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.
euid, ruid, suid
Node inspector/CEF debug abuse
Last modified 4mo ago