Try   HackMD

Build is a eazy-medium box from vulnlab, with some interesting fun stuffs inside here.

Screenshot from 2024-08-30 07-24-47

SCANNING

Screenshot from 2024-08-30 07-27-17

ENUMERATION

From scanning we can see we have some few interesting ports, such as 22,512,513,873,300

port 22

Port 22 is running ssh which I have no creds to login on with ssh, So we can process with the other port

port 873

After some google with port 873, ended up with hacktricks with some cool information.

Screenshot from 2024-08-30 07-36-21

After reading hacktricks, I found that I can ask the server to list files by connecting with netcat

Screenshot from 2024-08-30 07-39-51

Screenshot from 2024-08-30 07-41-32

From here I was able to see the backups directory, now we can try to retrieve this backups into our local machine a follows.

❯ rsync -av rsync://10.10.72.183:873/backups ./backup_rsync

From here now I was able now to extract the backups directory into my local machine.

Screenshot from 2024-08-30 07-45-15

Screenshot from 2024-08-30 07-46-40

After reading this backup well i saw that there is some encoded jenkins password, and in order to extract this creds we need something like config.xml or credentials.xml, master.key and hudson.util.Secret.

After some google on how to decrypt jenkins credentials found this script which worked for me.

Screenshot from 2024-08-30 07-51-19

After running the tool we get the username and password.

Screenshot from 2024-08-30 07-53-04

username:buildadm
password: G....!

Now we got creds then we need to find where this creds work because this creds doesnt work on ssh.

port 3000

From scanning we saw port 3000 which is running gitea

Firefox_Screenshot_2024-08-30T12-03-32.636Z

When you click explore you will find that there is a public repo which contains few source code but with great meaning and a username as we saw earlier.

Screenshot from 2024-08-30 08-06-35

From the source code we see that its a simple script that tries to run the sh command, so if were able to edit this jenkins file and make it run our bash command its possible to get a shell from here.

EXPLOITATION

From here we can use the creds we got earlier to login as buildadm and try to edit the file.

Firefox_Screenshot_2024-08-30T12-12-39.145Z

After a while like 3-4 seconds you will get a call-back on ur local machine with a shell.

Screenshot from 2024-08-30 08-13-52

PIVOTING

Now we got a shell, but were inside a docker

Screenshot from 2024-08-30 08-17-13

We got few users but not very useful now from here we need to find a way to escape docker.

Docker escape

After moving around the docker container here and there, found that we have some few command but command such as ip, ifconfig and netstat were not available so we need to find a way to use check the network interface.

In the home directory there is a usefull file but is hidden rhosts,checking the content of this file.

Screenshot from 2024-08-30 08-20-11

admin.build.vl +
intern.build.vl +

Thinking out of box i realized that there is an internal network, maybe i need to escape this network and move to another network.

back-on gitea

From here i knew maybe there is a hint of this either an ip address or anything.After a little bit working with gitea on webhooks there is hint of the network address.

Screenshot from 2024-08-30 08-25-03

port forwading

From here You can use any tool of your choise but i will use chisel, ligoro is a little bit weird for me.

Upload chisel on both local machine and on the docker machine and make it executable and forward the network into our local machine.

Screenshot from 2024-08-30 08-35-02

Now before we start accessing the network we need first to edit the proxychains config file as follows

Screenshot from 2024-08-30 08-38-50

And if we test the connection we can see that now were good to go. Lets start afresh the scanning.

Screenshot from 2024-08-30 08-40-44

SCANNING INTERNAL NETWORK

Screenshot from 2024-08-30 08-43-31

Nmap scan report for 172.18.0.1
Host is up, received conn-refused (0.49s latency).
Scanned at 2024-08-30 08:42:13 EDT for 619s
Not shown: 991 closed tcp ports (conn-refused)
PORT     STATE SERVICE         REASON
22/tcp   open  ssh             syn-ack
53/tcp   open  domain          syn-ack
512/tcp  open  exec            syn-ack
513/tcp  open  login           syn-ack
514/tcp  open  shell           syn-ack
873/tcp  open  rsync           syn-ack
3000/tcp open  ppp             syn-ack
3306/tcp open  mysql           syn-ack
8081/tcp open  blackice-icecap syn-ack

ENUMERATION

From the scanning we got some few interesting ports mhmmm,22,3306,8081

port 3306

From here we can try to connect to mysql and see if we can get any cool info maybe or access to the databases.

Screenshot from 2024-08-30 08-47-59

ENUMERATING DBS

From the database(powerdnsadmin), From table user there is a username and a encoded browfish hash, record it somewhere because you will need it in the future somewhere.

Screenshot from 2024-08-30 08-50-38

After cracking the hash

username:admin
password: <Redacted>

Back again on the tables(history and record), gives us some info which are very usefull.

Screenshot from 2024-08-30 08-54-03

From table (records), we can also get the same info we got from history.

Screenshot from 2024-08-30 08-55-54

db.build.vl:          172.18.0.4
gitea.build.vl:       172.18.0.2
intern.build.vl:      172.18.0.1
jenkins.build.vl:     172.18.0.3
pdns-worker.build.vl: 172.18.0.5
pdns.build.vl:        172.18.0.6

From here were good to go, but the most interesting dns was pdns.build.vl mhmmm.

FOOTHOLDING

From pdf pdns.build.vl: 172.18.0.6 we can try to see if we can access the pdns service, with curl.

Screenshot from 2024-08-30 09-00-52

After reading the source code above we can see that we got a login page but sad enough we cannot access in a browser in just a normal way, we need something like foxyproxy or curl, But doing this with a curl is a little bit weird so lets just use foxyProxy on our browser.

Screenshot from 2024-08-30 09-07-24

Screenshot from 2024-08-30 09-08-37

Now here were good to go with our internal network with our target on the browser.

Screenshot from 2024-08-30 09-09-30

From here we can try to login with the creds we just got from the databases in the internal network.

Screenshot from 2024-08-30 09-12-50

PRIVILEGE ESCALATION

Privilege escalation was little bit interesting, steps to reproduce privilege escalation anyway it was fun here.

Screenshot from 2024-08-30 09-16-27

From the Zone Record we can see that we have some interesting domains as we saw in the db.

port 513

512/tcp  open     exec            syn-ack     netkit-rsh rexecd
513/tcp  open     login?          syn-ack
514/tcp  open     shell           syn-ack     Netkit rshd

The Remote Shell Protocol (RSH) is a remote execution client similar to REXEC that enables you to execute a command on a remote host and receive the results on your local host.

After we have already know what this port513 is now we need to find a way to login with this port remotely.

Firefox_Screenshot_2024-08-30T13-21-27.031Z

Now we can try to access this port from our machine

❯ rsh -l root 10.10.101.231

After trying to access this i found that the creds i had are not working here.

Screenshot from 2024-08-30 09-28-16

What were missing is that we need to forward this service into our local machine by adding our ip address as seen below.

Screenshot from 2024-08-30 09-29-42

Now i tried again the same process.

Screenshot from 2024-08-30 09-35-55

And finally we get our root flag

Screenshot from 2024-08-30 09-49-34

Last changed by 
alienX
security analyst ,penetration tester,red teamer, CTF player
0
336

Read more

PUBLIC-KEY CRYPTOGRAPHY

These challenges first introduce us to the many footguns of RSA, and soon see you performing attacks which real software has been vulnerable to. Next, we will look at Diffie-Hellman key exchange and explore how the core problem behind it, and later on we will see how we can use the power of programming language to solve attacks such as Man-In-The-Middle attacks by intercepting and crack the secret messages

Mar 28, 2025
OVERVIEW

Hellow forks its alienkeric again from this side before the 2024 ended I had some goals to accomplish which were one ex

Jan 14, 2025
SEA-WRITEUP

Hello forks, lets wanted to share with season-6 machine from hackthebox,

Dec 21, 2024
MANAGE

From nmap scanning we can see that our target has 3 open ports i.e

Oct 16, 2024
Read more from alienX
Published on HackMD