Advent of Cyber 3 (2021): Day 14 Write-up [TryHackMe]
Welcome to another write-up of Advent of Cyber 3.
Today we are going to cover Day 14 of this room.
If you haven’t solved Day 13, click here.
[Day 14] Networking Dev(Insecure)Ops
Today’s task covers networking again, and we will learn about Dev Ops, CI/CD concept, and how to exploit insecure CI/CD.
Learning Objectives
- Understanding the CI/CD concept
- Overview of risks associated with CI/CD
- Having a basic understanding of CI/CD exploitation vectors
What is CI/CD?
CI/CD are two terms often used when talking about software development and DevOps. Their definitions are pretty straightforward.
CI: Continuous Integration is the process in which software source code is kept in a central repository (such as GitHub). All changes are stored in this central repository to avoid having different versions of the same code.
CD: Continuous Delivery is the following (sometimes integral) step of the continuous integration model where code is automatically deployed to the test, pre-production, or production environments. CD is sometimes used as an acronym for “Continuous Deployment.” You are right if you feel like the terms above don’t seem to have clear limits. CI, CD, and the other CD are all part of DevOps best practices that aim to make code delivery faster and more reliable.
CI/CD should be considered as a set of practices that are put in place to enable development teams to make changes, test their code, and deploy the application more reliably.
We should think of CI/CD as a continuous process or loop that includes steps of the software development process.
You can read more about DevOps and CI/CD concepts in Day 14 task.
Let’s get started!
- How many pages did the dirb scan find with its default wordlist?
To scan the machine use the following command (replace my machine’s IP with yours):
dirb http://Machine_IP
As result we’ve found 4 pages.
Answer: 4 2. How many scripts do you see in the /home/thegrinch/scripts folder?
First, we’ve to connect to the machine using SSH with Machine_IP and the following credentials:
- username: mcskidy
- password: Passwrod1
Then navigate to the /home/thegrinch/scripts directory.
Answer: 43. What are the five characters following $6$G in pepper’s password hash?
First, we’ve to find an attack vector, and you can start by checking these scripts:
Here we’ve found that loot.sh is accessible by everyone, and we can modify and execute it
Let’s read the content of loot.sh
Here we can see this is a /bin/bash file that runs the ls command, which reads /home/thegrinch/loot and stores it in /var/www/html/ls.html
We can modify this and use this vulnerability to run our desired script or command.
Since we are looking for the password, start by reading /etc/shadow and perform this by using cat /etc/shadow.
Now open the webpage by entering Machine_IP in your browser, and since we know the /admin page exists from the previous enumeration, we can extend the admin portal.
Voila! Using this vulnerability, we successfully displayed content of /etc/shadow printed.
Answer: ZUP424. What is the content of the flag.txt file on the Grinch’s user’s desktop?
Navigate to /home/thegrinch/Desktop to read the flag.txt content.
cat is not able to read the content of the file since we do not have permission to read this file as mcskidy user
Fortunately, we can use the same vulnerability to read this file.
Now reload the webpage, and you should see the content of the flag.txt.
Answer:DI3H4rdIsTheBestX-masMovie!Closure
Today’s task taught us about Dev Ops and CI/CD concepts. We’ve learned what CI/CD vulnerability is, its vectors, and how to exploit it to gain sensitive information.
Great job!
You’ve completed Day 14.
I hope you found this write-up easy to follow.
For more write-ups, follow me, and stay tuned.
To check Day 16, click here. (Day 15 is just a quiz to find you cyber career role)
Thank you for reading.
