Saltstack

an open-source infrastructure automation and configuration management tool. Pull based model with agents (minions)

4505/tcp - ZeroMQ Sub channel

4506/tcp - ZeroMQ Req channel, the main channel to communicate with salt-master

8000/tcp (optional) - salt-master REST API. Almost all endpoints require eauth (e.g. PAM) authorization

Skylight Cyber | A-Salt: attacking SaltStackSkylightCyber

Check unauth api

curl http://host:8000/minions

ZeroMQ sploit

PoC exploit for CVE-2020-11651 and CVE-2020-11652

GitHub - jasperla/CVE-2020-11651-poc: PoC exploit of CVE-2020-11651 and CVE-2020-11652GitHub

another one

GitHub - appcheck-ng/salt-rce-scanner-CVE-2020-11651-CVE-2020-11652: Scanning tool to test for SaltStack vulnerabilities CVE-2020-11651 & CVE-2020-11652.GitHub

Chaining CVE-2021-25281 and CVE-2021-25282

Goals:

ssh key
cron job
register rogue minion

GitHub - Immersive-Labs-Sec/CVE-2021-25281: Chaining CVE-2021-25281 and CVE-2021-25282 to exploit a SaltStackGitHub

Register minion

compose

services:
  minion:
    image: "saltstack/salt:latest"
    command: salt-minion -l info
    # depends_on:
    #   - master
    volumes:
      - ./minion:/etc/salt/minion

./minion

master: master     # master ip
id: testtest       # uniq minon id (it could be random)
log_level: info    # info/debug

PreviousLINUX NextConsul

Last updated 1 month ago

hashtagCheck unauth api

hashtagZeroMQ sploit

hashtagPoC exploit for CVE-2020-11651 and CVE-2020-11652

hashtagChaining CVE-2021-25281 and CVE-2021-25282

hashtagRegister minion

Check unauth api

ZeroMQ sploit

PoC exploit for CVE-2020-11651 and CVE-2020-11652

Chaining CVE-2021-25281 and CVE-2021-25282

Register minion