OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  • Ansiblebook
  • Jfrog
  1. OSEP
  2. Local Reconnaissance Linux

Ansible

Ansiblebook

Node hosts: /etc/ansible/hosts

Playbook

Execute commands on node servers

Retrieve credentials of node servers from playbook

python3 /usr/share/john/ansible2john.py web.yaml

hashcat hash.txt --force --hash-type=16900 dict/rockyou.txt

cat pw.txt | ansible-vault decrypt

Sensitive data

Playbook contains a command, the command contains plaintext credential. Like mysql.yml

/var/log/syslog

Jfrog

Binary Repository Manager

Port 8082

ps aux | grep artifactory

  • Check existing files and user interactions like creation, download, etc.

  • Delivery malicious file (With user interaction)

  • Database backup contains credential: /opt/jfrog/artifactory/var/backup/access

  • Compromise database

PreviousLocal Reconnaissance LinuxNextPrivilege Escalation

Last updated 1 year ago