# Kibana - Port 5601 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ## Basic info Kibana is known for its ability to search and visualize data within Elasticsearch, typically running on port **5601**. It serves as the interface for the Elastic Stack cluster's monitoring, management, and security functions. * **Default port:** `5601/tcp` (Kibana UI). *** ### Quick Recon 1. **Nmap** ```bash nmap -sV -p5601 --script=http-title,http-headers nmap -p9200 -sV --script=http-elasticsearch* ``` * Visit the UI in a browser: `http://:5601` or `https://:5601` and check the login flow. * Check headers and cookies for session/auth patterns. Look for headers like `kbn-name`, `kbn-version` or `server: nginx` reverse proxies. Query Elasticsearch directly if reachable (9200): ``` curl -sI http://:9200/ | head -n 20 curl -s http://:9200/ | jq . ``` 2. **Kibana UI discovery** Open `http(s)://:5601/app/kibana` and `/app/management` to inspect login flow, SSO header usage, and presence of Console (`/app/dev_tools#/console`). The Console provides direct ES API access from the browser context. 3. **mappings & indices** If you can query ES, enumerate indices and mappings (important for finding credentials in logs or configs): ``` curl -s 'http://:9200/_cat/indices?v' | sed -n '1,200p' curl -s 'http://:9200//_mapping?pretty' | jq '.' ``` Search for indices named `.*credential.*`, `.*auth.*`, `.*config.*`, `logs-*` or application names. *** ### Authentication & Configs to Inspect Kibana authentication is typically backed by Elasticsearch security (X-Pack). If Elasticsearch has security disabled, Kibana often accepts anonymous access. Check `kibana.yml` for relevant settings (commonly at `/etc/kibana/kibana.yml`): ```yaml server.host: "0.0.0.0" elasticsearch.hosts: ["http://localhost:9200"] # Search for any hardcoded credentials or API keys ``` * Credentials found in config may not be `kibana_system` β€” those credentials could allow broader access if misused. ### Gaining Programmatic Access (safe methods to test) #### 1) Kibana Console abuse (browser context) If Kibana login is bypassed or you have a low-priv shell account, the Console (`/app/dev_tools#/console`) allows arbitrary ES queries executed with the Kibana service credentials. Use it to test data access and create API keys. **Create an API key via the Kibana Console:** ``` POST _security/api_key { "name": "test_key_from_console", "role_descriptors": { "rb": { "cluster": ["all"], "index": [{ "names": ["*"], "privileges": ["all"] }] } } } ``` This returns an `id` and `api_key` you can use in `Authorization: ApiKey ` headers. #### 2) Using Curl (if ES HTTP API reachable) 
# list users
curl -s -u 'kibana_system:password' http://<ip>:9200/_security/user | jq '.'

# create API key (returns id & api_key)
curl -s -u kibana_system:password -X POST "http://<ip>:9200/_security/api_key" -H 'Content-Type: application/json' -d '{"name":"rk_key","expiration":"30d","role_descriptors":{"r":{"cluster":["monitor"],"index":[{"names":["*"] ,"privileges":["read"]}]}}}' | jq '.'
**Note:** If `kibana_system` creds are in `kibana.yml` and they’re not `kibana_system` scoped, they may give broader ES access. Always check `kibana.yml` safely via a host shell if available. *** ### Offensive Checklist (if you gain access) 1. **Enumerate indices & data** ```bash # Using curl against Elasticsearch if proxy/API access available curl -s "http://localhost:9200/_cat/indices?v" curl -s "http://localhost:9200//_search?size=50&q=*" | jq '.' ``` 2. **Check Users / Roles / API Keys** * In Kibana: Stack Management β†’ Security β†’ Users / Roles / API Keys * If you can create API keys, you can pivot programmatically. 3. **Version & Known CVEs** * Identify Kibana/ES version (footer in UI or `GET /` on ES). Search for known CVEs β€” e.g., older versions (<6.6.0) had RCE bugs in certain plugins and features. Always verify with vendor advisories. 4. **Check for saved objects & visualizations that allow scripting** * Visualizations and scripted fields can sometimes be abused to inject payloads or to expose sensitive fields. *** ### Post‑Exploitation & Data Exfil * Extract sensitive documents from indices (credentials, PII, logs). Use pagination and `_search` API to pull data. * Create API keys or service users for long-lived access (audit logs permitting). *** ### Hardening & Defender Checklist 1. **Network controls** * Block access to `5601/tcp` from public/untrusted networks. Use VPNs or management subnets for admin access. 2. **Enable authentication & TLS** * Enable Elasticsearch security features (TLS + basic auth or SSO). Do not run ES without security in production. 3. **Least privilege** * Ensure `kibana_system` is used only for Kibana, and admin users are limited. 4. **Keep versions patched** * Upgrade to latest minor/major fixes; monitor Elastic advisories for RCE or privilege escalation CVEs. 5. **Audit & monitor** * Enable audit logging and alert on new API keys, user creation, or unusual index export patterns. 6. **Config hygiene** * Remove hardcoded credentials from `kibana.yml` or vault them. Avoid running Kibana on `0.0.0.0` if unnecessary. Quick commands to enable basic safety: ```bash # Example: restrict bind address (kibana.yml) server.host: "127.0.0.1" # Or firewall rule ufw deny from any to any port 5601 proto tcp ``` *** ### Detection Ideas * IDS/IPS: alert on connections to port 5601 from unusual sources. * SIEM: flag high-volume `_search` requests or API key creation events. * Network: block mgt plane access to Elasticsearch/Kibana from the internet. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š
{% endhint %}