Ansible Playbook Privilege Escalation
Ansible Playbooks are lists of tasks that automatically execute against hosts.
PrivEsc with Tasks
First off, check the content of playbook in /opt/ansible/playbooks
.
For instance, a file named “httpd.yaml”.
Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks
.
And add the exploitable file in this.
For example, a file named “shell.yml”
.
Create a exploit for reverse shell.
Then open a listener in local machine.
At the end, execute “ansible”
PrivEsc with Automation Task
If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/
), we can inject arbitrary commands in yaml file.
For example, create a new file /opt/ansible/tasks/evil.yaml
.
After a while, we can escalate the root privilege by executing the following command.
Last updated