Build is a eazy-medium box from vulnlab, with some interesting fun stuffs inside here.
# SCANNING
# ENUMERATION
From scanning we can see we have some few interesting ports, such as 22,512,513,873,300
## port 22
Port 22 is running ssh which I have no creds to login on with ssh, So we can process with the other port
## port 873
After some google with port 873, ended up with hacktricks with some cool information.
After reading hacktricks, I found that I can ask the server to list files by connecting with netcat
From here I was able to see the backups directory, now we can try to retrieve this backups into our local machine a follows.
```
❯ rsync -av rsync://10.10.72.183:873/backups ./backup_rsync
```
From here now I was able now to extract the backups directory into my local machine.
After reading this backup well i saw that there is some encoded jenkins password, and in order to extract this creds we need something like config.xml or credentials.xml, master.key and hudson.util.Secret.
After some google on how to decrypt jenkins credentials found this script which worked for me.
After running the tool we get the username and password.
```
username:buildadm
password: G....!
```
Now we got creds then we need to find where this creds work because this creds doesnt work on ssh.
## port 3000
From scanning we saw port 3000 which is running gitea
When you click explore you will find that there is a public repo which contains few source code but with great meaning and a username as we saw earlier.
From the source code we see that its a simple script that tries to run the `sh` command, so if were able to edit this jenkins file and make it run our bash command its possible to get a shell from here.
# EXPLOITATION
From here we can use the creds we got earlier to login as `buildadm` and try to edit the file.
After a while like 3-4 seconds you will get a call-back on ur local machine with a shell.
# PIVOTING
Now we got a shell, but were inside a docker
We got few users but not very useful now from here we need to find a way to escape docker.
## Docker escape
After moving around the docker container here and there, found that we have some few command but command such as `ip, ifconfig and netstat` were not available so we need to find a way to use check the network interface.
In the home directory there is a usefull file but is hidden `rhosts`,checking the content of this file.
```
admin.build.vl +
intern.build.vl +
```
Thinking out of box i realized that there is an internal network, maybe i need to escape this network and move to another network.
## back-on gitea
From here i knew maybe there is a hint of this either an ip address or anything.After a little bit working with gitea on `webhooks` there is hint of the network address.
## port forwading
From here You can use any tool of your choise but i will use chisel, ligoro is a little bit weird for me.
Upload chisel on both local machine and on the docker machine and make it executable and forward the network into our local machine.
Now before we start accessing the network we need first to edit the proxychains config file as follows
And if we test the connection we can see that now were good to go. Lets start afresh the scanning.
### SCANNING INTERNAL NETWORK
```
Nmap scan report for 172.18.0.1
Host is up, received conn-refused (0.49s latency).
Scanned at 2024-08-30 08:42:13 EDT for 619s
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
53/tcp open domain syn-ack
512/tcp open exec syn-ack
513/tcp open login syn-ack
514/tcp open shell syn-ack
873/tcp open rsync syn-ack
3000/tcp open ppp syn-ack
3306/tcp open mysql syn-ack
8081/tcp open blackice-icecap syn-ack
```
### ENUMERATION
From the scanning we got some few interesting ports mhmmm,22,3306,8081
#### port 3306
From here we can try to connect to mysql and see if we can get any cool info maybe or access to the databases.
#### ENUMERATING DBS
From the database(powerdnsadmin), From table user there is a username and a encoded browfish hash, record it somewhere because you will need it in the future somewhere.
After cracking the hash
```
username:admin
password: <Redacted>
```
Back again on the tables(history and record), gives us some info which are very usefull.
From table (records), we can also get the same info we got from history.
```
db.build.vl: 172.18.0.4
gitea.build.vl: 172.18.0.2
intern.build.vl: 172.18.0.1
jenkins.build.vl: 172.18.0.3
pdns-worker.build.vl: 172.18.0.5
pdns.build.vl: 172.18.0.6
```
From here were good to go, but the most interesting dns was pdns.build.vl mhmmm.
#### FOOTHOLDING
From pdf `pdns.build.vl: 172.18.0.6` we can try to see if we can access the pdns service, with curl.
After reading the source code above we can see that we got a login page but sad enough we cannot access in a browser in just a normal way, we need something like foxyproxy or curl, But doing this with a curl is a little bit weird so lets just use foxyProxy on our browser.
Now here were good to go with our internal network with our target on the browser.
From here we can try to login with the creds we just got from the databases in the internal network.
# PRIVILEGE ESCALATION
Privilege escalation was little bit interesting, steps to reproduce privilege escalation anyway it was fun here.
From the `Zone Record` we can see that we have some interesting domains as we saw in the db.
## port 513
```
512/tcp open exec syn-ack netkit-rsh rexecd
513/tcp open login? syn-ack
514/tcp open shell syn-ack Netkit rshd
```
```
The Remote Shell Protocol (RSH) is a remote execution client similar to REXEC that enables you to execute a command on a remote host and receive the results on your local host.
```
After we have already know what this port`513` is now we need to find a way to login with this port remotely.
Now we can try to access this port from our machine
```
❯ rsh -l root 10.10.101.231
```
After trying to access this i found that the creds i had are not working here.
What were missing is that we need to forward this service into our local machine by adding our ip address as seen below.
Now i tried again the same process.
And finally we get our root flag
Sign in with Wallet
Connect another wallet