CVE-2021-25281 (SaltStack) – Offensive

Question

Need tips to get going with this, information on the exploit is sparse.

I have the port, just need some help creating the correct command line. Not much out there on the internet on this.

I have tried variations on commands like this:

python3 poc.py http://10.102.178.147:8000 state whoami

python3 poc.py http://10.102.178.147:8000 ssh id_rsa.pub

(after generating the keys with "ssh-keygen -t rsa")

gusc · Answer

nmap 10.102.145.94curl -k&nbsp;https://10.102.145.94:8000{"return": "Welcome", "clients": ["local", "local_async", "local_batch", "local_subset", "runner", "runner_async", "ssh", "wheel", "wheel_async"]}ssh-keygen -t rsa -f ~/Desktop/public_key

arthurdent · Answer

Thanks!

arthurdent · Answer

I'm in the same boat. I've added print statements to the script, and found that no matter what I send, I'm getting a 503 response code back. However, I can connect to the port with curl or a browser, and it does respond with a list of actions, including the one that should be able to be exploited. I haven't figured out what to send in the script to make it work.&nbsp;

Forum Discussion

CVE-2021-25281 (SaltStack) – Offensive

3 Replies

Featured Places

Help

Related Content

CVE-2021-25281 (SaltStack) – Offensive

CVE-2020-11651 (SaltStack RCE) – Defensive

Offensive PowerShell: Demonstrate Your Skills

CVE-2021-22205 (GitLab) – Offensive

Practical Malware Analysis: Demonstrate Your Skills Malware (Offensive)

Recent Discussions

IoT & Embedded Devices: Certificate Underpinning

Trick or Treat on Specter Street: Morphy's Mansion Challenge

Trick or Treat on Specter Street: Morphy’s Mansion

Credential Access: Password Hashing Algorithms

Trick or Treat on Specter Street: Ghost of the SOC