Hello everyone. In this blog post, we will be rooting Builder Machine from Hack the Box which is all about Jenkins and recent CVE impacting Jenkins. Let’s do it!

1)Starting as usually with the nmap scan do see what are we dealing with:

nmap -sC -sV -A -T4 <TARGET_IP>

Nothing crazy here, web server and SSH Server. Let’s check the web server:

2)As I mentioned earlier, web server is running Jenkins, in some Jenkins instances you can enumerate the users even if you are not authenticated , which I did right away:

From here we can see that there is a jennifer user

2.1) Another scenario might be that we can still as not authenticated user enumerate the Jenkins credentials, where I found root’s SSH private key! Extremely interesting for later:

2.2)Checking the Jenkins version running, I found out that is vulnerable to: CVE-2024-23897 which will allows us to read arbitrary files from the remote server with Jenkins CLI due to misconfiguration of @ character!

2.3)To download Jenkins CLI simply navigate to the http://<BOX_IP>/cli and you can download.jar file, to check if it works we can simply execute simple help command:

java -jar jenkins-cli.jar -s http://10.10.11.10:8080/ help

Cool, our Jenkins CLI is working, let’s test this Jenkins instance for this vulnerability:

2.4)Let’s make use of @ character:

And we see that Jenkins’ master key has been returned to us, great! We confirmed that vulnerability is present:

2.5) There is a script that automates this process that I will be using:https://github.com/verylazytech/CVE-2024-23897

Confirming that the script works by reading /etc/passwd

2.6) Okay, but what files to read to get initial foothold, and now it’s all about Jenkins, after some research I found out that Jenkins stores existing users at: (Since I know that there is user Jennifer, let’s check it out)

/var/jenkins_home/users/users.xml

I learned here that every user also has what it seems to be unique ID. After further research I found out that user configurations (including the password hash) are stored here:

/var/jenkins_home/users/<USER_ID>/config.xml

We can use the script from the above again, to get the password hash:

2.7)Let’s use Hash Identifier to check what type of hash this is:

We can use hashcat for that, and hash can be cracked with rockyou.txt wordlist!

2.8) We can login as Jennifer now to the Jenkins instance:

2.9)Jennifer also has access to the Jenkins Console, from where we can run malicious script for the reverse shell:

2.10)This way we can get local.txt!

3) Now, things are about the Jenkins again even for priv. esc! I remembered that I found that root Private SSH Key, which now when we have access to Jenkins itself can be abused to SSH to the Box as root and then execute reverse shell payload and get reverse shell as root user! Let’s do it!

3.1)I created new Pipiline, and then I can configure that pipeline to execute the job for me. Now here things are getting interesting because we can execute the job on behalf of root user by using his SSH Private key! Here is the job script that I used alongside with the reverse shell payload:

3.1)Now, run this job and start a listener on specified port above:

And we got root shell!

How? Jenkins Pipeline Job —> Job Executed —> SSHed as root to Box –> as root execute bash reverse shell payload —> connection to our listener as root user —> GG!

Lessons Learned:

1)This Box was all about Jenkins and I really liked that as Jenkins is very popular and fun tool! The first lesson that I learned about is Jenkins misconfiguration of @ character in Jenkins CLI which led to CVE-2024-23897.

2) The second lesson that I learned is the locations of Jenkins sensitive files, especially users file and then after getting user IDs we can get the user configuration file with the user’s password hash!

3) And, the third lesson is to always check for stored credentials in Jenkins, especially in Global Domain as it’s available for any Jenkins user! That way we can execute jobs as other users by abusing stored credentials!