HackMD
Build is a eazy-medium box from vulnlab, with some interesting fun stuffs inside here.
SCANNING
ENUMERATION
From scanning we can see we have some few interesting ports, such as 22,512,513,873,300
port 22
Port 22 is running ssh which I have no creds to login on with ssh, So we can process with the other port
port 873
After some google with port 873, ended up with hacktricks with some cool information.
After reading hacktricks, I found that I can ask the server to list files by connecting with netcat
From here I was able to see the backups directory, now we can try to retrieve this backups into our local machine a follows.
From here now I was able now to extract the backups directory into my local machine.
After reading this backup well i saw that there is some encoded jenkins password, and in order to extract this creds we need something like config.xml or credentials.xml, master.key and hudson.util.Secret.
After some google on how to decrypt jenkins credentials found this script which worked for me.
After running the tool we get the username and password.
Now we got creds then we need to find where this creds work because this creds doesnt work on ssh.
port 3000
From scanning we saw port 3000 which is running gitea
When you click explore you will find that there is a public repo which contains few source code but with great meaning and a username as we saw earlier.
From the source code we see that its a simple script that tries to run the sh command, so if were able to edit this jenkins file and make it run our bash command its possible to get a shell from here.
EXPLOITATION
From here we can use the creds we got earlier to login as buildadm and try to edit the file.
After a while like 3-4 seconds you will get a call-back on ur local machine with a shell.
PIVOTING
Now we got a shell, but were inside a docker
We got few users but not very useful now from here we need to find a way to escape docker.
Docker escape
After moving around the docker container here and there, found that we have some few command but command such as ip, ifconfig and netstat were not available so we need to find a way to use check the network interface.
In the home directory there is a usefull file but is hidden rhosts,checking the content of this file.
Thinking out of box i realized that there is an internal network, maybe i need to escape this network and move to another network.
back-on gitea
From here i knew maybe there is a hint of this either an ip address or anything.After a little bit working with gitea on webhooks there is hint of the network address.
port forwading
From here You can use any tool of your choise but i will use chisel, ligoro is a little bit weird for me.
Upload chisel on both local machine and on the docker machine and make it executable and forward the network into our local machine.
Now before we start accessing the network we need first to edit the proxychains config file as follows
And if we test the connection we can see that now were good to go. Lets start afresh the scanning.
SCANNING INTERNAL NETWORK
ENUMERATION
From the scanning we got some few interesting ports mhmmm,22,3306,8081
port 3306
From here we can try to connect to mysql and see if we can get any cool info maybe or access to the databases.
ENUMERATING DBS
From the database(powerdnsadmin), From table user there is a username and a encoded browfish hash, record it somewhere because you will need it in the future somewhere.
After cracking the hash
Back again on the tables(history and record), gives us some info which are very usefull.
From table (records), we can also get the same info we got from history.
From here were good to go, but the most interesting dns was pdns.build.vl mhmmm.
FOOTHOLDING
From pdf pdns.build.vl: 172.18.0.6 we can try to see if we can access the pdns service, with curl.
After reading the source code above we can see that we got a login page but sad enough we cannot access in a browser in just a normal way, we need something like foxyproxy or curl, But doing this with a curl is a little bit weird so lets just use foxyProxy on our browser.
Now here were good to go with our internal network with our target on the browser.
From here we can try to login with the creds we just got from the databases in the internal network.
PRIVILEGE ESCALATION
Privilege escalation was little bit interesting, steps to reproduce privilege escalation anyway it was fun here.
From the Zone Record we can see that we have some interesting domains as we saw in the db.
port 513
After we have already know what this port513 is now we need to find a way to login with this port remotely.
Now we can try to access this port from our machine
After trying to access this i found that the creds i had are not working here.
What were missing is that we need to forward this service into our local machine by adding our ip address as seen below.
Now i tried again the same process.
And finally we get our root flag
