Exploiting ElasticSearch Misconfigurations
Through the previous misconfigs, i should have full access to the elastic search database. Let’s see and exploit: Reconnaissance of the database: curl -X GET "http://192.168.83.140:9200" curl -X GET "http://192.168.83.140:9200/_cat/indices?v" _cat/indices: This is the API command to list all indices. ?v: This makes the output “verbose” (shows headers), so it’s easy to read. Why it’s dangerous: This tells the attacker the names of all your databases, such as prod-users or customer-logs. EXPLANATION OF THE INFO GATHERED FROM THE FIRST COMMAND: "name" : "DC1" ...