Advent of Cyber 2023 — Day 21 Writeup with Answers by Karthikeyan Nagaraj | TryHackMe Walkthrough
2024-1-14 19:24:30 Author: infosecwriteups.com(查看原文) 阅读量:9 收藏

TryHackMe — DevSecOps Red [ Yule be Poisoned: A Pipeline of Insecure Code! ] — After fixing the pipeline, further tests show that it’s still vulnerable. The team must identify the threat, prototype an exploit, and resolve the new vulnerability

Karthikeyan Nagaraj

InfoSec Write-ups

========================================
Click the Above Photo to View the Answers — — |
========================================

  1. Scenario
  2. Learning Objectives
  3. Understanding Concept
  4. Pre-Requisites
  5. Challenge Tasks — Answers
  6. Video Poc —https://youtu.be/ZqJyDf5RcDA

One of the main reasons for acquiring AntarctiCrafts was for their crafty automation in gift-giving, wrapping, and crafting. After securing their automation, they discovered other parts of their CI/CD environment that are used to build and extend their pipeline. An attacker can abuse these build systems to indirectly poison the previously secured pipeline.

  • Understand how a larger CI/CD environment operates.
  • Explore indirect poisoned pipeline execution (PPE) and how it can be used to exploit Git.
  • Apply CI/CD exploitation knowledge to the larger CI/CD environment.

CI/CD Environment

Often, developers or other end-users only see a limited portion of the CI/CD pipeline. Developers interact with Git on a daily basis, so it makes sense that CI/CD is most commonly associated with Git — although it only makes up a quarter of a typical CI/CD pipeline. The diagram below visualises the general segments of a pipeline: development, build, testing, and deployment. While these segments could be expanded and interchanged, all pipelines will follow a similar order.

Automation Platforms

Jenkins, along with many other applications, handles a pipeline’s build segment. These platforms can be remote or local. For example, Travis CI is a remote build platform, whereas Jenkins is a local automation server.

These platforms rely on runners or agents to build a project on a pre-configured VM. One advantage of some automation platforms is that they can automatically create and configure build environments on demand. This allows building and testing in different environments without manual configuration or administration.

Indirect Poisoned Pipeline Execution

Let’s briefly shift our focus back to the development stage. In the previous task, poisoned pipeline execution was introduced, wherein an attacker has direct write access to a repository pipeline. If an attacker doesn’t have direct write access (to a main-protected or branch-protected repository, for example), it’s possible they have write access to other repositories that could indirectly modify the behaviour of the pipeline execution.

If an environment is employing a development pipeline, a configuration file must be defined for the steps the build system must take. If a repository contains all the necessary source and build files, and another repository contains the pipeline files, write permissions could differ between the two, resulting in an indirect PPE vulnerability. In this example, you can assume that the repository containing the source is not write-protected and the repository containing the pipeline is write-protected.

To exploit this vulnerability, an attacker would need to identify a file or other parameter they can arbitrarily change that the pipeline file will use. Makefiles and other build files are usually exploitable because they are used to build the source and can run any arbitrary commands as defined in the makefile. Below is an example of what this might look like in a pipeline file.

  1. Start the TryHackMe’s VPN or Start AttackBox

1. What Linux kernel version is the Jenkins node?

  1. Open a Terminal and clone the repository in the Attackbox or your machine with VPN using the command
    git clone http://MACHINE-IP:3000/McHoneyBell/gift-wrapper.git
  2. cd into the directory
  3. Type nano Makefile and change the command to uname -a
  4. Ctrl+X the Y to save the File
  5. Now type the below commands
    git add .
    git commit -m "Message"
    git push
  6. Navigate to http://MACHINE-IP:8080/
  7. Login with admin:admin
  8. Click the gift-wrapper-build → gift-wrapper-pipeline → main
  9. Then Click Build in the left side
  10. Then Click on the last build and click Console output on the left side
  11. Now, Scroll down to see the output of the command that we put on the Makefile

======================================================
Ans: Use your Skills and try to find this answer,

If you are unable to do so,

use the video below to find the answer
=======================================================

2. What value is found from /var/lib/jenkins/secret.key?

Similarly, change the below command in the Makefile and find the Value

Ans: 90e748eafdd2af4746a5ef7941e63272f24f1e33a2882f614ebfa6742e772ba7

文章来源: https://infosecwriteups.com/advent-of-cyber-2023-day-21-writeup-with-answers-by-karthikeyan-nagaraj-tryhackme-walkthrough-2f7984fd2eeb?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh