TryHackMe — Advent of Cyber 2023: [Day 21] DevSecOps: Yule be Poisoned: A Pipeline of Insecure Code!
Day 21 of TryHackMe’s Advent of Cyber 2023 has been launched.
Link: https://tryhackme.com/room/adventofcyber2023
Learning Objectives
- Understand how a larger CI/CD environment operates.
- Explore indirect poisoned pipeline execution (PPE) and how it can be used to exploit Git.
- Apply CI/CD exploitation knowledge to the larger CI/CD environment.
Answer the questions
Logging into the Jenkins, we see that there is a job that has been successfully run several times: gift-wrapper-build
Click gift-wrapper-build > gift-wrapper-pipeline > main >#1 > Console Output
to review the first build
As seen from the screenshot, the build runs on the gift-wrapper-pipline repository. Let’s investigate the repository
Log into the github page and we’ll see the gift wrapper-pipeline repository. The repository only has the Jenkins file, which only run the command whoami
.
Let’s try cloning the repository and make some changes to the file.
git clone http://10.10.89.53:3000/McHoneyBell/gift-wrapper-pipeline.git
From the file, change the command from make || true
to whoami
Push the change be running the list of these commands
git add -A
git commit -m "update Jenkinsfile"
git push
As we see in the screenshot, the repository is write-protected, meaning we don’t have the authorization to make changes to the repository.
Viewing the build #2 provide no further useful information. Let’s try building it one more time if we can see anything useful.
Voila! We get a different conole output. Looks like the build also fetching the gift-wrapper.git
repository, which execute the to_pip.sh
script.
Let’s clone the repository and see if we can make changes to the to_pip.sh
file.
Then commit changes to the repository:
git add -A
git commit -m "Make changes to to_pip.sh script"
git push
Looks like we have successfully modify the repository.
Now let’s go back to Jenkins and run the build one more time.
Great. We have obtained the system information along with the secret.key
.
What Linux kernel version is the Jenkins node?
Answer: 5.4.0–1029-aws
What value is found from /var/lib/jenkins/secret.key?
Answer: 90e748eafdd2af4746a5ef7941e63272f24f1e33a2882f614ebfa6742e772ba7
Conclusion
And we’ve have successfully exploit the Jenkins server and the git repositories’ weaknesses. I believe this room introduces the basic concept of Dev Ops and CI/CD.
If you like my post, please clap (or buymeacoffee). Follow me for more Cybersecurity content.