While iterating through subdomains I got a response like
Judging by the domain it was clearly an AWS instance of OpenSearch running ElasticSearch. I knew a bit about this, but decided to learn more.
There was only one disclosed Hackerone report talking about such a thing: https://hackerone.com/reports/2231261
roland_hack points to using tools like elasticsearch-dump (NPM) and estk (Go). I fired up the dump tool to see what I’d find.
elasticdump --input=https://domain.com/list --output temp222.txtIt spit out a starting dump line and decided to sit for a few hours and never do anything again. So either the tool is dumb, or I am dumb.
Not willing to admit I’m the dumb one I moved on to the estk, which was to be a handy tool to get all the indices of the ES via estk dump -h
Well like all BugBounty folks, my Go environment is a mess and I didn’t feel like spending an hour to clean it up.
Certainly there had to be a better way.
Some googling led me to: https://ghostlulz.com/elastic-search/
And he told me about /_cat/indices?v and /_all/_search?q=email
Boom
After the fact I found this Medium article that has a ton of great info: https://systemweakness.com/elasticsearch-a-easy-win-for-bug-bounty-hunters-how-to-find-and-report-ddd900395bcb
