Build is a eazy-medium box from vulnlab, with some interesting fun stuffs inside here.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SCANNING

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

ENUMERATION

From scanning we can see we have some few interesting ports, such as 22,512,513,873,300

port 22

Port 22 is running ssh which I have no creds to login on with ssh, So we can process with the other port

port 873

After some google with port 873, ended up with hacktricks with some cool information.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After reading hacktricks, I found that I can ask the server to list files by connecting with netcat

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From here I was able to see the backups directory, now we can try to retrieve this backups into our local machine a follows.

❯ rsync -av rsync://10.10.72.183:873/backups ./backup_rsync

From here now I was able now to extract the backups directory into my local machine.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After reading this backup well i saw that there is some encoded jenkins password, and in order to extract this creds we need something like config.xml or credentials.xml, master.key and hudson.util.Secret.

After some google on how to decrypt jenkins credentials found this script which worked for me.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After running the tool we get the username and password.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

username:buildadm
password: G....!

Now we got creds then we need to find where this creds work because this creds doesnt work on ssh.

port 3000

From scanning we saw port 3000 which is running gitea

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

When you click explore you will find that there is a public repo which contains few source code but with great meaning and a username as we saw earlier.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the source code we see that its a simple script that tries to run the sh command, so if were able to edit this jenkins file and make it run our bash command its possible to get a shell from here.

EXPLOITATION

From here we can use the creds we got earlier to login as buildadm and try to edit the file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After a while like 3-4 seconds you will get a call-back on ur local machine with a shell.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

PIVOTING

Now we got a shell, but were inside a docker

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

We got few users but not very useful now from here we need to find a way to escape docker.

Docker escape

After moving around the docker container here and there, found that we have some few command but command such as ip, ifconfig and netstat were not available so we need to find a way to use check the network interface.

In the home directory there is a usefull file but is hidden rhosts,checking the content of this file.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

admin.build.vl +
intern.build.vl +

Thinking out of box i realized that there is an internal network, maybe i need to escape this network and move to another network.

back-on gitea

From here i knew maybe there is a hint of this either an ip address or anything.After a little bit working with gitea on webhooks there is hint of the network address.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

port forwading

From here You can use any tool of your choise but i will use chisel, ligoro is a little bit weird for me.

Upload chisel on both local machine and on the docker machine and make it executable and forward the network into our local machine.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Now before we start accessing the network we need first to edit the proxychains config file as follows

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And if we test the connection we can see that now were good to go. Lets start afresh the scanning.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

SCANNING INTERNAL NETWORK

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Nmap scan report for 172.18.0.1
Host is up, received conn-refused (0.49s latency).
Scanned at 2024-08-30 08:42:13 EDT for 619s
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE         REASON
22/tcp   open  ssh             syn-ack
53/tcp   open  domain          syn-ack
512/tcp  open  exec            syn-ack
513/tcp  open  login           syn-ack
514/tcp  open  shell           syn-ack
873/tcp  open  rsync           syn-ack
3000/tcp open  ppp             syn-ack
3306/tcp open  mysql           syn-ack
8081/tcp open  blackice-icecap syn-ack

ENUMERATION

From the scanning we got some few interesting ports mhmmm,22,3306,8081

port 3306

From here we can try to connect to mysql and see if we can get any cool info maybe or access to the databases.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

ENUMERATING DBS

From the database(powerdnsadmin), From table user there is a username and a encoded browfish hash, record it somewhere because you will need it in the future somewhere.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After cracking the hash

username:admin
password: <Redacted>

Back again on the tables(history and record), gives us some info which are very usefull.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From table (records), we can also get the same info we got from history.

Screenshot from 2024-08-30 08-55-54

db.build.vl:          172.18.0.4
gitea.build.vl:       172.18.0.2
intern.build.vl:      172.18.0.1
jenkins.build.vl:     172.18.0.3
pdns-worker.build.vl: 172.18.0.5
pdns.build.vl:        172.18.0.6

From here were good to go, but the most interesting dns was pdns.build.vl mhmmm.

FOOTHOLDING

From pdf pdns.build.vl: 172.18.0.6 we can try to see if we can access the pdns service, with curl.

Screenshot from 2024-08-30 09-00-52

After reading the source code above we can see that we got a login page but sad enough we cannot access in a browser in just a normal way, we need something like foxyproxy or curl, But doing this with a curl is a little bit weird so lets just use foxyProxy on our browser.

Screenshot from 2024-08-30 09-07-24

Screenshot from 2024-08-30 09-08-37

Now here were good to go with our internal network with our target on the browser.

Screenshot from 2024-08-30 09-09-30

From here we can try to login with the creds we just got from the databases in the internal network.

Screenshot from 2024-08-30 09-12-50

PRIVILEGE ESCALATION

Privilege escalation was little bit interesting, steps to reproduce privilege escalation anyway it was fun here.

Screenshot from 2024-08-30 09-16-27

From the Zone Record we can see that we have some interesting domains as we saw in the db.

port 513

512/tcp  open     exec            syn-ack     netkit-rsh rexecd
513/tcp  open     login?          syn-ack
514/tcp  open     shell           syn-ack     Netkit rshd
The Remote Shell Protocol (RSH) is a remote execution client similar to REXEC that enables you to execute a command on a remote host and receive the results on your local host.

After we have already know what this port513 is now we need to find a way to login with this port remotely.

Firefox_Screenshot_2024-08-30T13-21-27.031Z

Now we can try to access this port from our machine

❯ rsh -l root 10.10.101.231

After trying to access this i found that the creds i had are not working here.

Screenshot from 2024-08-30 09-28-16

What were missing is that we need to forward this service into our local machine by adding our ip address as seen below.

Screenshot from 2024-08-30 09-29-42

Now i tried again the same process.

Screenshot from 2024-08-30 09-35-55

And finally we get our root flag

Screenshot from 2024-08-30 09-49-34