In this post, I would like to share a walkthrough of the Builder Machine from Hack the Box

This room will be considered a medium machine on Hack the Box

What will you gain from the Builder machine?

For the user flag, you will need to exploit a recent Jenkins vulnerability, namely CVE-2024-23897, this exploration focuses on its capacity for partial file reading and the subsequent risk of remote code execution. The forthcoming demonstration will elucidate the exploitation of this vulnerability, delve into techniques to optimize file access, identify the password hash associated with the admin user, and subsequently employ cracking methods to attain access to Jenkins.

As for the root flag, you need to locate a stored SSH key with the Jenkins application and present three methodologies for its retrieval. Initially, I will extract an encrypted version from the administrative panel. Secondly, I will utilize it to establish an SSH connection to the host and locate a duplicate. Lastly, I will orchestrate the pipeline to inadvertently disclose the key, facilitating its recovery.

For those who want to learn or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259

Information Gathering on Builder Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $ nmap -sC -sV 10.10.11.10 -oA inital
# Nmap 7.93 scan initiated Tue Feb 13 01:10:38 2024 as: nmap -sC -sV -oA inital 10.10.11.10
Nmap scan report for 10.10.11.10
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
8080/tcp open  http    Jetty 10.0.18
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Dashboard [Jenkins]
|_http-server-header: Jetty(10.0.18)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 13 01:10:47 2024 -- 1 IP address (1 host up) scanned in 9.08 seconds
┌─[darknite@parrot]─[~/Documents/htb/Builder]
└──╼ $

Let’s access the website interface

It looks like it’s a Jenkins 2.441 application

Let’s do some research on the Jenkins vulnerability that we can take advantage of.

CVE-2024-23897 vulnerability

The page shown above appears when we click on the Security Advisory of Jenkins 2024-01-24

I also found some GitHub posts here where they provide some Python scripts whose function is to read file vulnerability for the Jenkins application

Therefore, let’s execute the Python script so that we can read the file that is stored inside the machine.

Boom! We have successfully been able to read the file /etc/passwd. However, we cannot proceed further with those scripts.

After i stuck for a while, i decided to read back the Security Advisory in case there is valuable information that we can use in the latter stage.

As a result, we managed to find a jar file where we could download the actual file into our machine.

Execute the jenkins-cli.jar that we download earlier

Before proceeding further, we need to verify whether the jar file can be executed properly.

We execute the jar file with the server URL which provides a lot of commands that we can use further on the builder machine

Firstly, we need to look into the /proc/self/environ process which it give us a lot of information including the location of the reference file

Sadly, we cannot obtain anything when we try to connect to the directory that we found earlier.

My bad! We are required to obtain files on the users.xml but we still cannot retrieve anything from that command.

After troubleshooting for a while, i noticed that Jenkins is super sensitive to uppercase and lowercase. I also noticed that there’s a potential user for the machine such as jennifer_12108439903186576833 been saved as a string in the XML file

Analyzing the xml file

We also should be looking at the config.xml file that is stored in the user directory which leads to passwordhash which we can crack to proceed further

Sadly, we cannot crack the hashes by using the crackstation

Therefore, let’s use a few tools to crack the hashes while hoping we can obtain a password to access them.

We can use John the Ripper to crack the hashes.

Another tool is by using hashcat where we will retrieve the same password either way.

Exploring the Jenkins application

Let’s access the Jenkins dashboard by using the credentials that we found earlier.

Normally, i will be going to execute the command injection on the Script Console which located inside the “Manage Jenkins”

Let’s start with our listeners.

We should be able to retrieve the reverse shell connection this way but sadly, it doesn’t work as planned

Alternatively, we can try to save the bash command on our attacker machine and we can start our python server.

Let’s ensure that we can retrieve the file by calling the curl command to our machine

At last, it worked as I was not expecting it at all.

As a result, we should be put our bash reverse shell into a bash file on our machine

Let’s call the bash file and try to download it into our victim’s machine

It look like that we managed to ensure it work as planned

Therefore, let’s execute the bash file as shown in the screenshot above.

Finally, we managed to obtain the reverse shell connection

We have noted that we are inside the docker environment

For us to obtain a proper shell, we cannot use the Python script due that Python is not installed on the machine.

However, the script have been installed on the machine

At last, we should obtain the proper shell after executing the command above.

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access on the Builder machine

We managed to find the private key that had been saved in the credentials.xml file which located inside the /var/jenkins_home/ directory

We are required to enter the syntax above to get some public key

Sadly, it doesn’t work as planned

After trying to find a way to ensure it works, i noticed there’s some “(“ missing in the syntax so i have to add the missing piece, and let’s click the Run button again.

At last, we managed to obtain the SSH public key.

Finally, we have successfully access the machine via SSH public key

We can read the root flag by typing the “cat root.txt” command