![]() ![]() for an engineer travelling around) and tasked with getting up to no good. I was given one of PowerCorp’s standard build field laptops (e.g. This stuff was all designed to operate within the customer’s internal ecosystem and should never be shared between customers (competitors). Most of PowerCorp’s customers also had some form of customised on-prem infrastructure to support the whole thing (data syncs for field devices, analytics, office connectivity, VPNs). These products are sold to various businesses involved in the electricity generation, transmission, and storage lifecycle and, as one might imagine for such niche software, was heavily customised for every customer. Most of this research came out of a recent engagement for a company that makes niche software products for power grid site engineers/operators. With Salt you are entering a world of Python and YAML so everything is a local file and can be read and edited from disk.Reminder - in large networks, different minions may be enrolled to different masters.Confirming a server has TCP/4505 and TCP/4506 open.Checking a minion’s inbound/outbound connections on TCP/4505 and TCP/4506 or.Checking a minion’s /etc/salt/minion.d/nf file.Minions are pretty easy to spot once you are a host by checking any of the following: systemctl status salt-minion The master is almost certainly going to be a *nix box. The master device should be your target because it is a backdoor-as-a-feature to all minions under it. In Salt-speak these agents are ‘minions’ and they are slaved to one or more central ‘master’ controllers. It is dependent on a software agent being installed and enrolled on devices to be managed. It can be made to do basically anything by deploying custom scripts. ![]() This could be as simple as pushing up-to-date config files or as complex as triggering a build pipeline to ultimately bring up fresh containers across a fleet. If the active state is misaligned to the configured state, it tries to fix it by reapplying whatever configuration the human IT administrator defined. Salt at its core is for automated infrastructure management focused around applying and maintaining states on devices. With that in mind, here is a basic primer: This post was written with the aim of helping anyone who is on a pentest/red team and finds themselves in a network running Salt as well as those tasked with securing Salt. And because of that relative youth there is not very much in the security space written up on it. ![]() If this is your first time reading about Salt (aka SaltStack), it is a relatively new entrant to the IT orchestration field, alongside the likes of Ansible and Puppet. This post is for attackers but I’ve included a cheatsheet summary for defenders too. With a bit of luck, you can go from a basic presence in a network, to the keys to the kingdom, and potentially neighbouring kingdoms as well. This blog post introduces a set of common misconfigurations we’ve encountered in the wild, as well as a novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server. SaltStack is an IT orchestration platform, similar to Puppet or Ansible. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |