hashtopolis
[BUG]: Task assignment doesn't check agent group, causing "Not allowed to work on this task!" infinite loop
Version Information
0.14.6
Hashcat
No response
Description
Removing an agent from the Default group causes it to infinite loop:
Got task with id: XXX
Getting of chunk failed: {'action': 'getChunk', 'response': 'ERROR', 'message': 'Not allowed to work on this task!'}
If the Default group is required, then it shouldn't be exposed to the user, or at the very least you shouldn't be able to remove agents from it.
For context: My agents register using a persistent voucher, so I have to assign them to a group manually.
Being able to remove agents from the Default group would let me know when a new agent has registered and needs to be assigned to a group.
So do I understand correctly that after you remove it from the default group, the agent does not stop requesting the same chunk again and receiving the error? And instead the agent should go back to request a new task which will then be from the new group you assigned it to, correct?
Based on the server UI, my understanding is that group permissions act on files, not tasks. So an agent can work on a given task if, for each of the task's files, the agent is a member of the file's associated group.
But I have a task that uses no files at all. So an agent in any group (as well as no group at all!) should be able to work on it.
So do I understand correctly that after you remove it from the default group, the agent does not stop requesting the same chunk again and receiving the error?
Correct, the agent will not switch tasks, even if there is a higher priority task available. Or if the agent is working on a task requiring a file that is associated with a group, and you remove the agent from that group, the agent will still be stuck on the task (instead, it should switch to another task that doesn't require the group).
And instead the agent should go back to request a new task which will then be from the new group you assigned it to, correct?
Not exactly. The agent was working on a task with no files, which means any agent in any group (or no group at all) should be able to work on the task. But it still enters the infinite error loop when removed from the Default group.
tl;dr if you remove an agent from the Default group, it cannot work on any tasks at all.
A task still requires an agent to be allowed to access the group which the hashlist is assigned to (there you select an AccessGroup on creation). If the agent does not belong to that group, it cannot pick up any task working on this hashlist.
A task still requires an agent to be allowed to access the group which the hashlist is assigned to (there you select an AccessGroup on creation). If the agent does not belong to that group, it cannot pick up any task working on this hashlist.
Right...I forgot that hashlists also have groups.
I just tested by making a new group, then creating a hashlist and task for it. The task only used the hashlist and no files (wordlists or rules).
The agent started off in the Default Group and was working on a task. I removed the agent from the Default Group into the new group, then restarted the agent.
The agent stayed on its assigned task in an infinite loop, even though the new task had a higher priority.
In the infinite loop, this part of the log output:
Got task with id: XXX
Suggests that the server needs to check if an agent can work on a task (i.e. if the agent is a member of the task's hashlist's group) before the task is assigned to the agent. And it also needs to check if the agent is a member of the task's files' group, too.
Currently, these checks aren't performed, so the agent can get assigned to a task and then error when getting the chunk. And because the agent will never be assigned to another task, it enters an infinite loop.
The easiest test is:
- Start a new agent
- Stop the agent
- Move the agent out of the Default Group into a new test group (which has no tasks)
- Start the agent -- it should say there is no work, but it will be assigned to some task that it doesn't have access to