In this post, I would like to share a walkthrough of the Builder Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

A screenshot of a computer

Description automatically generated

What will you gain from the Builder machine?


For the user flag, you will need to exploit a recent Jenkins vulnerability, namely CVE-2024-23897, this exploration focuses on its capacity for partial file reading and the subsequent risk of remote code execution. The forthcoming demonstration will elucidate the exploitation of this vulnerability, delve into techniques to optimize file access, identify the password hash associated with the admin user, and subsequently employ cracking methods to attain access to Jenkins.


As for the root flag, you need to locate a stored SSH key with the Jenkins application and present three methodologies for its retrieval. Initially, I will extract an encrypted version from the administrative panel. Secondly, I will utilize it to establish an SSH connection to the host and locate a duplicate. Lastly, I will orchestrate the pipeline to inadvertently disclose the key, facilitating its recovery.

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Builder Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $ nmap -sC -sV 10.10.11.10 -oA inital
# Nmap 7.93 scan initiated Tue Feb 13 01:10:38 2024 as: nmap -sC -sV -oA inital 10.10.11.10
Nmap scan report for 10.10.11.10
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
8080/tcp open  http    Jetty 10.0.18
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Dashboard [Jenkins]
|_http-server-header: Jetty(10.0.18)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 13 01:10:47 2024 -- 1 IP address (1 host up) scanned in 9.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $

Let’s access the website interface


It looks like it’s a Jenkins 2.441 application


Let’s do some research on the Jenkins vulnerability that we can take advantage of.

CVE-2024-23897 vulnerability


The page shown above appears when we click on the Security Advisory of Jenkins 2024-01-24


I also found some GitHub posts here where they provide some Python scripts whose function is to read file vulnerability for the Jenkins application


Therefore, let’s execute the Python script so that we can read the file that is stored inside the machine.


Boom! We have successfully been able to read the file /etc/passwd. However, we cannot proceed further with those scripts.


After i stuck for a while, i decided to read back the Security Advisory in case there is valuable information that we can use in the latter stage.


As a result, we managed to find a jar file where we could download the actual file into our machine.

Execute the jenkins-cli.jar that we download earlier


Before proceeding further, we need to verify whether the jar file can be executed properly.


We execute the jar file with the server URL which provides a lot of commands that we can use further on the builder machine


Firstly, we need to look into the /proc/self/environ process which it give us a lot of information including the location of the reference file


Sadly, we cannot obtain anything when we try to connect to the directory that we found earlier.


My bad! We are required to obtain files on the users.xml but we still cannot retrieve anything from that command.


After troubleshooting for a while, i noticed that Jenkins is super sensitive to uppercase and lowercase. I also noticed that there’s a potential user for the machine such as jennifer_12108439903186576833 been saved as a string in the XML file

Analyzing the xml file


We also should be looking at the config.xml file that is stored in the user directory which leads to passwordhash which we can crack to proceed further


Sadly, we cannot crack the hashes by using the crackstation


Therefore, let’s use a few tools to crack the hashes while hoping we can obtain a password to access them.


We can use John the Ripper to crack the hashes.


Another tool is by using hashcat where we will retrieve the same password either way.

Exploring the Jenkins application


Let’s access the Jenkins dashboard by using the credentials that we found earlier.


Normally, i will be going to execute the command injection on the Script Console which located inside the “Manage Jenkins”


Let’s start with our listeners.


We should be able to retrieve the reverse shell connection this way but sadly, it doesn’t work as planned


Alternatively, we can try to save the bash command on our attacker machine and we can start our python server.


Let’s ensure that we can retrieve the file by calling the curl command to our machine


At last, it worked as I was not expecting it at all.


As a result, we should be put our bash reverse shell into a bash file on our machine


Let’s call the bash file and try to download it into our victim’s machine


It look like that we managed to ensure it work as planned

A screenshot of a computer

Description automatically generated

Therefore, let’s execute the bash file as shown in the screenshot above.

A computer screen with green text

Description automatically generated

Finally, we managed to obtain the reverse shell connection

A computer screen shot of a number of green text

Description automatically generated

We have noted that we are inside the docker environment

A black screen with green text

Description automatically generated

For us to obtain a proper shell, we cannot use the Python script due that Python is not installed on the machine.

A black background with green text

Description automatically generated

However, the script have been installed on the machine

A black screen with green text

Description automatically generated

At last, we should obtain the proper shell after executing the command above.

A black background with green text

Description automatically generated

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on the Builder machine


We managed to find the private key that had been saved in the credentials.xml file which located inside the /var/jenkins_home/ directory

A screenshot of a computer

Description automatically generated

We are required to enter the syntax above to get some public key


Sadly, it doesn’t work as planned

A screenshot of a computer

Description automatically generated

After trying to find a way to ensure it works, i noticed there’s some “(“ missing in the syntax so i have to add the missing piece, and let’s click the Run button again.


At last, we managed to obtain the SSH public key.

A black screen with green text

Description automatically generated

Finally, we have successfully access the machine via SSH public key

A black background with green text

Description automatically generated

We can read the root flag by typing the “cat root.txt” command