Ansible
Ansible is an infrastructure configuration engine that enables IT personnel to dynamically and automatically configure IT infrastructure and computing resources. It works through a “push” model where the Ansible controller connects to registered “nodes” and runs “modules” on them.
We can find the host inventory on the controller at /etc/ansible/hosts.
- Enumerating Ansible
Run the ansible command (once we have acces to a machine which runs it).
Check the existence of Ansible configuration files: ls /etc/ansible
Check the presence of “ansible” related usernames: grep ansible /etc/passwd
Detect Ansible-related log messages in the system’s syslog file: cat /var/log/syslog
Now that we know Ansible is installed on the target, let’s explore a few different attack vectors.
- Ad-hoc Commands
Ad-hoc commands are simple shell commands to be run on all, or a subset, of machines in the Ansible inventory. Typically, ad-hoc commands would be for one-off situations where we would want to run a command on multiple servers.
To run whoami command in all members of a group named "victims" (Check groups in ansible configuration files):
ansible victims -a "whoami"
If we want to run a command as root or a different user, we can use the --become parameter:
ansible victims -a "whoami" --become
- Ansible Playbooks
Playbooks allow sets of tasks to be scripted so they can be run routinely at points in time. This is useful for combining various setup tasks, such as adding user accounts and settings to a new server or updating large numbers of machines at once.
Playbooks are written using the YAML markup language.
If stored playbooks on the controller are in a world-readable location or we have access to the folder they’re stored in, we can search for hardcoded credentials, commonly located at /opt/playbooks/writefile.yaml.
If we find the !vault keyword, the value is vault-encrypted. As an attacker, we can copy the section of the encrypted payload above starting with “$ANSIBLE_VAULT” and attempt to crack it offline.
First download the .yaml file, then:
cat webserver.yaml | grep "ANSIBLE_VAULT" -A 5 | tr -d " " > vault-hash.txt
ansible2john vault-hash.txt > johned-vault-hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt johned-vault-hash.txt
Then, put the original hashed vault on your clipboard:
cat vault-hash.txt | xclip -selection c
Back on our controller, we can copy the original encrypted vault string into a text file and pipe it to ansible-vault decrypt. We’re prompted for our vault password (obtained with john) and then vault will provide us with the original, unencrypted password stored in the playbook for the target user.
echo "[CRTL+SHIFT+V]" > pw.txt
cat pw.txt | ansible-vault decrypt
The user name displayed may be an user in the web portal, a user in a related machine (see ansible hosts, etc/hosts, ssh/known_hosts, .bash_history, etc) or it may be the password for a related user.
- Weak Permissions on Ansible Playbooks
Another option we have at our disposal for exploiting Ansible environments is to take advantage of playbooks that we have write access to.
We can modify the file by adding few tasks to it:
First we add before the tasks value:
Then, in tasks we add (The last task copies our public key):
If we want to run shell commands directly in the target machine we could add:
- Sensitive Data Leakage via Ansible Modules
Example:
cat mysqlbackup.yml
cat /var/log/syslog
Last updated