2018 Derbycon CTF - Jenkins

-
Just like last year; the Derbycon CTF was awesome! I had the honor of competing on team illuminopi this year and we got second place.

Sitting next to and working with such highly skilled hackers was so fulfilling and rewarding it is easy to justify the means of getting there, staying awake for way too long, and even getting "iced" with a hot can of poison called Smirnoff.

Hot Poison

My goal for this year was to contribute over 5000 points and writeup at least one challenge where full exploitation was necessary. I met both of these challenges so without further ado, here's how we popped the Jenkins box.

Jenkins -  192.168.253.45

[1] Initial Recon:  nmap revealed 8080 and I browsed to the website.

 
Jenkins Login Page

[2] Create an account 

I followed the "create an account" link and filled out the form as seen below:

Create an Account

After the account was successfully created, the following page loaded:

Successful Account Creation

[3] Manage Jenkins

Under the "Manage Jenkins" menu selection, there is a function called "Script Console." Consoles are always interesting because it usually means that you can interact with the target in some way.

Manage Jenkins Utilities

The Script Console presented a text input box which is simply a web-based Groovy shell into the Jenkins runtime. Groovy can do things like read files, create sub-processes, and execute commands.

The following command was issued to read the /etc/passwd and similarly /home/jenkins/flag.txt files: 

def command = """cat /etc/passwd"""
def proc = command.execute()
proc.waitFor()
println "return code: ${ proc.exitValue()}"
println "stderr: ${proc.err.text}"
println "stdout: ${proc.in.text}"

You had to scroll down a little bit, but the output returned looked like this:

Found Flag in /etc/passwd

At this point, a web_delivery shell could have been launched, or some other payload, but I opted to use the multi/http/jenkins_script_console metasploit module.

[4] Exploiting Jenkins with Metasploit

Jenkins_script_console Module Options

Meterpreter Session

[5] Privesc

From within my meterpreter session, I dropped to a shell and issued the "sudo -l" command which returned the following:

Jenkins User May Use Sudo to Less the Syslog File 

I then used Less to start a shell:

Root Shell Obtained

[6] Pillage!

At this point it was time to try and find all five (5) flags hidden on the box. 

/etc/passwd - KristyAreYouDoingOkayRd3KPP6acM5zjSD9
/home/jenkins.flag - WhyDon'tYouGetAJobwmjz9WPHQTd7paPx
/root/.bash_history - Nevergonnafindmep26nFMWDraFnzHxW
/var/lib/jenkins/users/admin/config.xml - GiveItToMeBabyUh-huhUh-huhHRuttS7g6Hxv3QSr
Fifth flag was not found or otherwise missed. For example; we cracked the ctf user's password but I'm not sure it was tried as the fifth flag. 

If you ever have the chance to attend Derbycon - I highly recommend spending some time at its CTF. Even though "yee-haw" was borked, there was no shortage of claps, high fives, and that oh so nice rush of capturing the flag.

-strupo_

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more