HackTheBox | Builder Walkthrough

Hi!!

Please ignore any type of grammar errors.

let’s get started with enumeration.

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

nmap scan

We got two open ports: port 22 running a SSH and port 8080 running HTTP.

Web

We got Jenkins on http.

Jenkins interface

I’ve noticed its running Jenkins 2.441. But I like here to access people directory first to gather information about users.

Got a user

We got a user called jennifer.

Let’s do some search on jenkins version. And I’ve found a CVE leads to read files on the machine.

I used this github repo https://github.com/Praison001/CVE-2024-23897-Jenkins-Arbitrary-Read-File-Vulnerability.

Here I tried to read passwd file and I was able to read it.

Read /etc/passwd

Here I tried to read processes variables to get the jenkins home directory. But I got nothing.

read /proc/self/environ

Here I got stuck for a while, and at this time I decided to read about managing jenkins and found it can be managed by ssh and jenkins-cli.

So after read for while, it recommends using ssh for security so I choosed jenkins-cli.

jenkins-cli

Let’s download it.

wget http://<target_ip>:8080/jnlpJars/jenkins-cli.jar

After reading for a while how to use it, I was able to read processes variables file.

read /proc/self/environ

From the file, we got the jenkins home directory is /var/jenkins_home/.

Now we can read sensitive information about users and configurations.

Let’s read users file.

Read users.xml file

From reading, we can see there’s jennifer user and his directory is jennifer_12108439903186576833 inside /var/jenkins_home.

From searching, I got there is configuration file of each user.

Jennifer config file

At the end of the file we got a hash.

Jennifer hash

So let’s crack it.

Crack Jennifer hash

Here I tried to use ssh to access the system, but it didn’t work. So let’s login back to jenkins.

Jennifer Jenkins

We can use Script Console to run scripts on the system.

So let’s try to get a reverse shell.

Running a reverse shell

I was able to get a reverse shell.

Shell

I’ve noticed that we are inside a docker environment.

Docker Environment

I’ve also noticed there was no python or python3. So I search for script and it was installed, so I used it to get an interactive shell.

script -q 2>/dev/null

Privilege Escalation

After I searched for a while, I found an interesting file in jenkins_home directory called credentials.xml.

Read credentials.xml

After reading it, I got a ssh private key encrypted by a jenkins plugin.

Encrypted Private key

I searched on google how to decrypt it.

google search

And I got the script in the first repo to decrypt it.

Repo link https://gist.github.com/hoto/d1c874480888f8711f12db33a20b6e4d

Decrypt the Private key

After I run the script on jenkins console, i got the ssh private key.

First we have to change its permission.

chmod 600 priv

I tried to login with root.

ssh -i priv root@<target_ip>

Root

Conclusion

Always Search, Google is your friend :)

This was great fun!

I hope you enjoyed the walkthrough. I waiting for your feedbacks.

Don’t forget to check other walkthroughs.