In this post, I would like to share a walkthrough of the Builder Machine from Hack the Box
This room will be considered a medium machine on Hack the Box
What will you gain from the Builder machine?
For the user flag, you will need to exploit a recent Jenkins vulnerability, namely CVE-2024-23897, this exploration focuses on its capacity for partial file reading and the subsequent risk of remote code execution. The forthcoming demonstration will elucidate the exploitation of this vulnerability, delve into techniques to optimize file access, identify the password hash associated with the admin user, and subsequently employ cracking methods to attain access to Jenkins.
As for the root flag, you need to locate a stored SSH key with the Jenkins application and present three methodologies for its retrieval. Initially, I will extract an encrypted version from the administrative panel. Secondly, I will utilize it to establish an SSH connection to the host and locate a duplicate. Lastly, I will orchestrate the pipeline to inadvertently disclose the key, facilitating its recovery.
For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259Information Gathering on Builder Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $ nmap -sC -sV 10.10.11.10 -oA inital
# Nmap 7.93 scan initiated Tue Feb 13 01:10:38 2024 as: nmap -sC -sV -oA inital 10.10.11.10
Nmap scan report for 10.10.11.10
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
8080/tcp open http Jetty 10.0.18
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Dashboard [Jenkins]
|_http-server-header: Jetty(10.0.18)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 13 01:10:47 2024 -- 1 IP address (1 host up) scanned in 9.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $
Let’s access the website interface
It looks like it’s a Jenkins 2.441 application
Let’s do some research on the Jenkins vulnerability that we can take advantage of.
CVE-2024-23897 vulnerability
The page shown above appears when we click on the Security Advisory of Jenkins 2024-01-24
I also found some GitHub posts here where they provide some Python scripts whose function is to read file vulnerability for the Jenkins application
Therefore, let’s execute the Python script so that we can read the file that is stored inside the machine.
Boom! We have successfully been able to read the file /etc/passwd. However, we cannot proceed further with those scripts.
After i stuck for a while, i decided to read back the Security Advisory in case there is valuable information that we can use in the latter stage.
As a result, we managed to find a jar file where we could download the actual file into our machine.
Execute the jenkins-cli.jar that we download earlier
Before proceeding further, we need to verify whether the jar file can be executed properly.
We execute the jar file with the server URL which provides a lot of commands that we can use further on the builder machine
Firstly, we need to look into the /proc/self/environ process which it give us a lot of information including the location of the reference file
Sadly, we cannot obtain anything when we try to connect to the directory that we found earlier.
My bad! We are required to obtain files on the users.xml but we still cannot retrieve anything from that command.
After troubleshooting for a while, i noticed that Jenkins is super sensitive to uppercase and lowercase. I also noticed that there’s a potential user for the machine such as jennifer_12108439903186576833 been saved as a string in the XML file
Analyzing the xml file
We also should be looking at the config.xml file that is stored in the user directory which leads to passwordhash which we can crack to proceed further
Sadly, we cannot crack the hashes by using the crackstation
Therefore, let’s use a few tools to crack the hashes while hoping we can obtain a password to access them.
We can use John the Ripper to crack the hashes.
Another tool is by using hashcat where we will retrieve the same password either way.
Exploring the Jenkins application
Let’s access the Jenkins dashboard by using the credentials that we found earlier.
Normally, i will be going to execute the command injection on the Script Console which located inside the “Manage Jenkins”
Let’s start with our listeners.
We should be able to retrieve the reverse shell connection this way but sadly, it doesn’t work as planned
Alternatively, we can try to save the bash command on our attacker machine and we can start our python server.
Let’s ensure that we can retrieve the file by calling the curl command to our machine
At last, it worked as I was not expecting it at all.
As a result, we should be put our bash reverse shell into a bash file on our machine
Let’s call the bash file and try to download it into our victim’s machine
It look like that we managed to ensure it work as planned
Therefore, let’s execute the bash file as shown in the screenshot above.
Finally, we managed to obtain the reverse shell connection
We have noted that we are inside the docker environment
For us to obtain a proper shell, we cannot use the Python script due that Python is not installed on the machine.
However, the script have been installed on the machine
At last, we should obtain the proper shell after executing the command above.
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access on the Builder machine
We managed to find the private key that had been saved in the credentials.xml file which located inside the /var/jenkins_home/ directory
We are required to enter the syntax above to get some public key
Sadly, it doesn’t work as planned
After trying to find a way to ensure it works, i noticed there’s some “(“ missing in the syntax so i have to add the missing piece, and let’s click the Run button again.
At last, we managed to obtain the SSH public key.
Finally, we have successfully access the machine via SSH public key
We can read the root flag by typing the “cat root.txt” command