🧛
Acaard
  • WHOAMI
  • writeups
    • HTB Boxes
      • Headless (Easy)
      • Codify (Easy)
      • Builder (Medium)
      • Usage (Easy)
      • Sightless (Easy)
      • Cicada (Easy)
      • Yummy (Hard)
    • TuxCTFv2
      • Vampires Checker (Reverse)
      • wannaGOwithme (Reverse)
      • TuxHouse (Machine)
      • The Lair (web)
      • Die Todten (OSINT)
  • 💻Random but useful
    • Tmux
    • CPTS Review
Powered by GitBook
On this page
  • Enumeration
  • Exploitation
  • Privilege Escalation
  1. writeups
  2. HTB Boxes

Builder (Medium)

Medium difficulty Linux box.....

PreviousCodify (Easy)NextUsage (Easy)

Last updated 11 months ago

Enumeration

Let's start by enumeration the machine with nmap. Nmap scan result:

Nmap scan report for 10.10.11.10
Host is up (0.074s latency).
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Jetty 10.0.18
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.65 seconds

Two normal ports, SSH and HTTP, let's check the website:

And we see Jenkins!! Now seeing the 2.441 version, and as expected this box covers the latest Jenkins arbitrary file leak vulnerability.

After looking and reading in the security advisory from Jenkins about the vulnerability, let's first start by downloading the Jenkis CLI to interact with the system.

We can use the CLI (jar file) using:

java -jar "jar file"

After messing with it a bit and understanding how to get the available commands, we see we can do "connect-node", and as stated in the vulnerability description, the "@" sign, if followed by file name, will substitute the actual content of the file.

Exploitation

So for example let's try to put "/etc/passwd", using this command:

java -jar jenkins-cli.jar -s 10.10.11.10:8080 connect-node '@/etc/passwd'

We see this:

Doing that, we can start reading a bit about the system, but to utilize this further more, we need to know Jenkins store files, and what files can be more interesting to us.

Now Let's check where the home directory is, using environment variables:

Now seeing it, let's see what users there is, from "/var/jenkins_home/users/users.xml":

we see Jennifer with the ID, having that we can access some files to see the password, going to:

/var/jenkins_home/users/jennifer_12108429903186576833/config.xml.

Reading that file we will get a file hash, so now let's crack it and get the password:

Let's login!!

Now logging to the website, going to the script console we can execute commands, so let's get a shell on the box.

Getting a shell on the box, now let's start enumerating.

Privilege Escalation

Now going into the home directory again, we see the "credentials.xml" file, it has some private keys for users, including the "root".

but its encrypted, we need to find a way to decrypt it, keep in mind, it's done using the secret key in that directory, so for ease of use, we had to leak the Jennifer user password to login, and then just decrypt this key easily from the script console:

Now After doing that, we will get the root private key, let's save it and login as root!

That's it for the box!

Happy hacking :)

🧛
Jenkins website
Downloading the Jenkins-CLI jar
Reading /etc/passwd
Reading environment variable
Seeing users.xml
Cracking the password
Using the script console to get a shell
Decrypting the key
Getting root flag