To get a feel for where it fits in the HashiCorp ecosphere take a look at the following graphic:
I'd like to thank Will Butler for letting me write this up after watching him pwn it.
You can get a dev environment up and running using the tutorial here:
The walkthru has you run it as a dev environment which wont bind to 0.0.0.0 so you'll need the following server and client files to get an appropriate environment up and running after you Vagrant up.
If you get everything up and running correctly you should be able to connect to the UI on port 4646 and see the example job
$ nomad job run example.nomad
==> Monitoring evaluation "ac9b4b08"
Evaluation triggered by job "example"
Evaluation within deployment: "8a7dfe0f"
Allocation "57e65abe" created: node "a15034e5", group "cache"
Evaluation status changed: "pending" -> "complete"
==> Evaluation "ac9b4b08" finished with status "complete"
jobs in the nomad UI
servers in the nomad UI
clients in the nomad UI
Leveraging misconfiguration time. Nomad ships with a raw_exec option that is disabled by default.
the raw_exec option allow you to run a command outside isolation on the nomad host.
raw_execdriver can run on all supported operating systems. For security reasons, it is disabled by default. To enable raw exec, the Nomad client configuration must explicitly enable the
raw_execdriver in the client's options:"
How can you see if the raw_exec module is enabled on the clients?
You can check it out it the UI:
or by hitting the API endpoint
Let's exploit this thing.
We need to create a job hcl file with our commands. Here is gist with a simple one:
starting the service
Results of our job
job in the UI
Stopping the job
forcefully run the garbage collection
validation the job was deleted
OK let's get a reverse shell. I used the following hcl file:
Reverse shell job
Shell from nomad
Info on locking nomad down via ACLs: