diff --git a/documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md b/documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md index d76e0941740d..680e97cb1e58 100644 --- a/documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md +++ b/documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md @@ -10,7 +10,42 @@ version of those sensitive data. ### Install -https://github.com/fe-ax/tf-cve-2021-36782 +* Clone the repository from: https://github.com/fe-ax/tf-cve-2021-36782 +* Create a Digital Ocean API Token + * Log into Digital Ocean and navigate to: API > Tokens + * Select "Generate New Token" + * Enter a token name and then select either Full Access or Custom Scopes + * If selecting Custom Scopes, use the values provided below +* Back in the `tf-cve-2021-36782`, copy the `example.tfvars` file to `yourown.tfvars` +* Edit `yourown.tfvars` and add the newly generated DO API token as `do_token` + * Optionally set the region for the clusters to one closer to you (e.g. `nyc3`) +* Run `terraform init` +* Run `terraform apply -var-file yourown.tfvars`, this can take about 20 minutes to run +* Take the hostname from the `rancher_admin_url` output from terraform and use that as the `RHOST` value for the module +* Take the password from the `rancher_password` file and use that with the username "admin" for the module + +#### Digital Ocean API Token Custom Scopes +It's possible that there are unnecessary privileges contained within the following settings, however it does permit the +test environment to start without a full access token. + +* Fully Scoped Access: + * 1click (2): create, read + * account (1): read + * actions (1): read + * billing (1): read + * kubernetes (5): create, read, update, delete, access_cluster + * load_balancer (4): create, read, update, delete + * monitoring (4): create, read, update, delete + * project (4): create, read, update, delete + * regions (1): read + * registry (4): create, read, update, delete + * sizes (1): read +* Create Access: + * app / droplet / firewall / ssh_key +* Read Access: + * app / block_storage / block_storage_action / block_storage_snapshot / cdn / certificate / database / domain / droplet / firewall / function / image / reserved_ip / snapshot / ssh_key / tag / uptime / vpc +* Update Access: + * ssh_key ## Verification Steps @@ -80,4 +115,4 @@ msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run [*] Auxiliary module execution completed ``` -The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link. \ No newline at end of file +The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link. diff --git a/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb b/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb index a016a0c26ed6..79f11dfb4e79 100644 --- a/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb +++ b/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb @@ -113,7 +113,7 @@ def login end def check - return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service, or doesnt seem to be a rancher website") unless rancher? + return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service, or does not seem to be a rancher website") unless rancher? Exploit::CheckCode::Detected('Seems to be rancher, but unable to determine version') end @@ -121,7 +121,7 @@ def check def run vprint_status('Attempting login') login - vprint_good('login successful, querying APIs') + vprint_good('Login successful, querying APIs') [ '/v1/management.cattle.io.catalogs', '/v1/management.cattle.io.clusters',