# Exploitation 4

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FKU3AAErvegiUvXxRzdna%2Fexploitation4.png?alt=media&#x26;token=e53c0817-e20f-4824-910d-a0928be92bde" alt=""><figcaption></figcaption></figure>

This challenge requires us to read the /flag.txt file

During our enumeration we found the **Elasticsearch Directory Traversal (CVE-2015-5531)** vulnerabilities

Description: Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2F5GPq5k5ftRG3JnJXJ2fX%2Fexploitation4_1.png?alt=media&#x26;token=d2969578-e785-4481-87dd-2e7853b38440" alt=""><figcaption></figcaption></figure>

We change the path to /flag.txt to read the file. But we got encoded data.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FKKaRq7G8nNEHEOFcgLFw%2Fexploitation4_2.png?alt=media&#x26;token=9f02bd27-a3ab-4154-9a71-4f81cda2fca3" alt=""><figcaption></figcaption></figure>

We used some online decoding tools to decode the data from decimal into ascii.

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2FwzpuRFUsGqqBCEoySXUx%2Fexploitation4_3.png?alt=media&#x26;token=594bc01e-d3a7-4278-a831-96f950f8b473" alt=""><figcaption></figcaption></figure>

<figure><img src="https://382757542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfAxmqRz869b0dQQ6DjHW%2Fuploads%2F4eGQSRCfGYjsT6TgaY8B%2Fexploitation4_4.png?alt=media&#x26;token=573ca7bc-9eee-4def-a144-5d82381f4357" alt=""><figcaption></figcaption></figure>

Flag: ***RC15{J5ekuUdMY7BLZmktYCXzWZhZZ4J3W8pv}***