Skip to content

Commit

Permalink
Add rancher installation docs
Browse files Browse the repository at this point in the history
  • Loading branch information
smcintyre-r7 committed Apr 19, 2024
1 parent 244c901 commit d93b97d
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,42 @@ version of those sensitive data.

### Install

https://github.com/fe-ax/tf-cve-2021-36782
* Clone the repository from: https://github.com/fe-ax/tf-cve-2021-36782
* Create a Digital Ocean API Token
* Log into Digital Ocean and navigate to: API > Tokens
* Select "Generate New Token"
* Enter a token name and then select either Full Access or Custom Scopes
* If selecting Custom Scopes, use the values provided below
* Back in the `tf-cve-2021-36782`, copy the `example.tfvars` file to `yourown.tfvars`
* Edit `yourown.tfvars` and add the newly generated DO API token as `do_token`
* Optionally set the region for the clusters to one closer to you (e.g. `nyc3`)
* Run `terraform init`
* Run `terraform apply -var-file yourown.tfvars`, this can take about 20 minutes to run
* Take the hostname from the `rancher_admin_url` output from terraform and use that as the `RHOST` value for the module
* Take the password from the `rancher_password` file and use that with the username "admin" for the module

#### Digital Ocean API Token Custom Scopes
It's possible that there are unnecessary privileges contained within the following settings, however it does permit the
test environment to start without a full access token.

* Fully Scoped Access:
* 1click (2): create, read
* account (1): read
* actions (1): read
* billing (1): read
* kubernetes (5): create, read, update, delete, access_cluster
* load_balancer (4): create, read, update, delete
* monitoring (4): create, read, update, delete
* project (4): create, read, update, delete
* regions (1): read
* registry (4): create, read, update, delete
* sizes (1): read
* Create Access:
* app / droplet / firewall / ssh_key
* Read Access:
* app / block_storage / block_storage_action / block_storage_snapshot / cdn / certificate / database / domain / droplet / firewall / function / image / reserved_ip / snapshot / ssh_key / tag / uptime / vpc
* Update Access:
* ssh_key

## Verification Steps

Expand Down Expand Up @@ -80,4 +115,4 @@ msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
[*] Auxiliary module execution completed
```

The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link.
The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link.
Original file line number Diff line number Diff line change
Expand Up @@ -113,15 +113,15 @@ def login
end

def check
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service, or doesnt seem to be a rancher website") unless rancher?
return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service, or does not seem to be a rancher website") unless rancher?

Exploit::CheckCode::Detected('Seems to be rancher, but unable to determine version')
end

def run
vprint_status('Attempting login')
login
vprint_good('login successful, querying APIs')
vprint_good('Login successful, querying APIs')
[
'/v1/management.cattle.io.catalogs',
'/v1/management.cattle.io.clusters',
Expand Down

0 comments on commit d93b97d

Please sign in to comment.