During a recent engagement, we came across an old outdated instance of the
Kibana software. It was affected by two severe public vulnerabilities (CVE-2018-17246 and CVE-2019-7609).
However, in the context, none of them was readily exploitable. In this article,
we describe how we managed to takeover the software all the same, with a new
Don't expect any 0-dayz dropping in the following, only a new way to exploit two already known issues.