Challenge Information
- Advent of Cyber Day 12
- THM link here
Explanation
Today’s challenge will be related to Jenkins web application. We were given a ssh credentials to start with.
Question 1: What is the default port for Jenkins?
To get this answer, we could identify with nmap or check for port open by ssh into it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
admin@jenkins:~$ ss -tulp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:domain 0.0.0.0:*
udp UNCONN 0 0 10.10.119.232%eth0:bootpc 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:ssh 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:domain 0.0.0.0:*
tcp LISTEN 0 128 [::]:ssh [::]:*
tcp LISTEN 0 50 *:http-alt *:*
admin@jenkins:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 10.10.119.232%eth0:68 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp LISTEN 0 50 *:8080 *:*
By getting the port open after ssh into it, we noticed that the port 8080 is a http-alt port which should be our port for Jenkins
Question 2: What is the password of the user tracy?
To get tracy password, we could try to search for some common place since we have a secure shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
admin@jenkins:~$ cat /opt/scripts/backup.sh
#!/bin/sh
mkdir /var/lib/jenkins/backup
mkdir /var/lib/jenkins/backup/jobs /var/lib/jenkins/backup/nodes /var/lib/jenkins/backup/plugins /var/lib/jenkins/backup/secrets /var/lib/jenkins/backup/users
cp /var/lib/jenkins/*.xml /var/lib/jenkins/backup/
cp -r /var/lib/jenkins/jobs/ /var/lib/jenkins/backup/jobs/
cp -r /var/lib/jenkins/nodes/ /var/lib/jenkins/backup/nodes/
cp /var/lib/jenkins/plugins/*.jpi /var/lib/jenkins/backup/plugins/
cp /var/lib/jenkins/secrets/* /var/lib/jenkins/backup/secrets/
cp -r /var/lib/jenkins/users/* /var/lib/jenkins/backup/users/
tar czvf /var/lib/jenkins/backup.tar.gz /var/lib/jenkins/backup/
/bin/sleep 5
username="tracy"
password="13_1n_33"
Ip="localhost"
sshpass -p "$password" scp /var/lib/jenkins/backup.tar.gz $username@$Ip:/home/tracy/backups
/bin/sleep 10
rm -rf /var/lib/jenkins/backup/
rm -rf /var/lib/jenkins/backup.tar.gz
Question 3: What’s the root flag?
To get the root flag, just escalate to user tracy and use sudo command to get flag as tracy has root permission. You could also get flag directly from user admin as the user also have root privilege.
1
2
3
4
5
6
7
8
9
10
11
12
admin@jenkins:~$ su tracy
Password:
tracy@jenkins:/home/admin$ sudo -l
[sudo] password for tracy:
Matching Defaults entries for tracy on jenkins:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User tracy may run the following commands on jenkins:
(ALL : ALL) ALL
tracy@jenkins:/home/admin$ sudo cat /root/flag.txt
ezRo0tW1thoutDiD
Question 4: What’s the SSH flag?
To get SSH flag, just go through the SSH config file in /etc/ssh/sshd_config
1
2
3
cat /etc/ssh/sshd_config
...
#Ne3d2SecureTh1sSecureSh31l
Question 5: What’s the Jenkins flag?
This question is similar to previous. Search for Jenkins backup config file for flag.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
tracy@jenkins:~$ cat /var/lib/jenkins/config.xml.bak
<?xml version='1.1' encoding='UTF-8'?>
<hudson>
<disabledAdministrativeMonitors>
<string>jenkins.diagnostics.ControllerExecutorsNoAgents</string>
</disabledAdministrativeMonitors>
<version>2.414.1</version>
<numExecutors>2</numExecutors>
<mode>NORMAL</mode>
<useSecurity>true</useSecurity>
<!--authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
<denyAnonymousReadAccess>true</denyAnonymousReadAccess>
</authorizationStrategy-->
<!--FullTrust_has_n0_Place1nS3cur1ty-->
<!--securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
<disableSignup>true</disableSignup>
<enableCaptcha>false</enableCaptcha>
</securityRealm-->
<disableRememberMe>false</disableRememberMe>
<projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
<workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
<buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
<jdks/>
<viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
<myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
<clouds/>
<scmCheckoutRetryCount>0</scmCheckoutRetryCount>
<views>
<hudson.model.AllView>
<owner class="hudson" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
<primaryView>all</primaryView>
<slaveAgentPort>-1</slaveAgentPort>
<label></label>
<crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
<excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
</crumbIssuer>
<nodeProperties/>
<globalNodeProperties/>
<nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
</hudson>
Things I learned from the challenge
- Default config file
- best practice for zero trust policy