Elasticsearch
aka ELK, elastic
Search/analytics store on 9200, commonly exposed without auth. An open cluster lets you dump every index, which often contains credentials and PII; old versions add script RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
9200 | tcp | REST API (HTTP) |
9300 | tcp | transport (node-to-node) |
Fingerprint
- GET / returns cluster JSON with the tagline You Know, for Search
- GET /_cat/indices lists all indices
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/elasticsearch/elasticsearch.yml | cluster config and security settings |
Default / weak creds
none when X-Pack security is disabled
Service users
elasticsearch
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2015-1427 | Groovy sandbox bypass RCE via the _search API |
| CVE-2014-3120 | MVEL dynamic-script RCE |
Exploitation primitives
- Unauthenticated: list indices and dump documents (creds, tokens, PII)
- Legacy script RCE (Groovy/MVEL) on old, unpatched clusters
Overview
Elasticsearch on 9200 frequently ships with security off, so the whole cluster is one HTTP request away. The indices are the prize, and ancient versions add scripted RCE.
Enumeration
Cluster info:
curl -s http://<TARGET>:9200/List indices:
curl -s http://<TARGET>:9200/_cat/indices?vDump documents from an index:
curl -s "http://<TARGET>:9200/<index>/_search?pretty&size=100"Hardening
Enable the built-in security (auth + TLS), bind to localhost, and patch legacy script-execution CVEs.