Build (easy)

port scan

PORT     STATE    SERVICE         REASON       VERSION
22/tcp   open     ssh             syn-ack      OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
53/tcp   closed   domain          conn-refused
512/tcp  open     exec            syn-ack      netkit-rsh rexecd
513/tcp  open     login?          syn-ack
514/tcp  open     shell           syn-ack      Netkit rshd
873/tcp  open     rsync           syn-ack      (protocol version 31)
3000/tcp open     ppp?            syn-ack
3306/tcp filtered mysql           no-response
8081/tcp filtered blackice-icecap no-response
1

services enumeration

gitea server

there have a Jenkinsfile which means there have maybe have 'CI/CD'?

Rlogin Abuse

https://book.hacktricks.xyz/network-services-pentesting/pentesting-rlogin

Rsync Discover

we found a backups folder

download it on our machine

it seems a jenkins config folder

i will use https://github.com/gquere/pwn_jenkins offline decrypt buildadm cred

so we offline decrypt buildadm encrypted password Git1234!

now we are in gitea with buildadm user

Abuse CI/CD

since we are buildadm , we can modify Jenkinsfile and push it into gitea repo

shell

we are in docker env

as we know, there have two fillter port

powerDNS

MariaDB with anonymous access

there have a db called powerdnsadmin

we can select user table and get admin hash

admin:winston

Abuse rsh-server

since we found ~/.rhosts on docker machine and we have DNS db access

the .rhosts file have admin.build.vl and intern.build.vl which mean if we on those two hosts, we can rlogin into docker machine

so, what if the 10.10.66.105 have same .rhosts, let's try add fake dns record, so that "admin.build.vl" is our machine

Done!

Last updated