avatarHuy Phu

Summarize

TryHackMe — Advent of Cyber 2023: [Day 21] DevSecOps: Yule be Poisoned: A Pipeline of Insecure Code!

Day 21 of TryHackMe’s Advent of Cyber 2023 has been launched.

Link: https://tryhackme.com/room/adventofcyber2023

Learning Objectives

  • Understand how a larger CI/CD environment operates.
  • Explore indirect poisoned pipeline execution (PPE) and how it can be used to exploit Git.
  • Apply CI/CD exploitation knowledge to the larger CI/CD environment.

Answer the questions

Logging into the Jenkins, we see that there is a job that has been successfully run several times: gift-wrapper-build

Click gift-wrapper-build > gift-wrapper-pipeline > main >#1 > Console Outputto review the first build

As seen from the screenshot, the build runs on the gift-wrapper-pipline repository. Let’s investigate the repository

Log into the github page and we’ll see the gift wrapper-pipeline repository. The repository only has the Jenkins file, which only run the command whoami.

Let’s try cloning the repository and make some changes to the file. git clone http://10.10.89.53:3000/McHoneyBell/gift-wrapper-pipeline.git

From the file, change the command from make || true to whoami

Push the change be running the list of these commands

git add -A
git commit -m "update Jenkinsfile"
git push

As we see in the screenshot, the repository is write-protected, meaning we don’t have the authorization to make changes to the repository.

Viewing the build #2 provide no further useful information. Let’s try building it one more time if we can see anything useful.

Voila! We get a different conole output. Looks like the build also fetching the gift-wrapper.git repository, which execute the to_pip.sh script.

Let’s clone the repository and see if we can make changes to the to_pip.sh file.

Then commit changes to the repository:

git add -A
git commit -m "Make changes to to_pip.sh script"
git push

Looks like we have successfully modify the repository.

Now let’s go back to Jenkins and run the build one more time.

Great. We have obtained the system information along with the secret.key.

What Linux kernel version is the Jenkins node?

Answer: 5.4.0–1029-aws

What value is found from /var/lib/jenkins/secret.key?

Answer: 90e748eafdd2af4746a5ef7941e63272f24f1e33a2882f614ebfa6742e772ba7

Conclusion

And we’ve have successfully exploit the Jenkins server and the git repositories’ weaknesses. I believe this room introduces the basic concept of Dev Ops and CI/CD.

If you like my post, please clap (or buymeacoffee). Follow me for more Cybersecurity content.

Tryhackme
Advent Of Cyber 2023
DevOps
Cicd Pipeline
Git
Recommended from ReadMedium