Docker

Jenkins is one of those tools that organizations often spin up quickly and forget to harden. Builder is a medium-difficulty Linux box that demonstrates exactly what happens when that oversight meets a known CVE and a stored credential that wasn’t meant to be found. Machine Info Field Value Name Builder Platform HackTheBox OS Linux Difficulty Medium IP 10.129.230.220 TL;DR Jenkins 2.441 is vulnerable to a Local File Inclusion (CVE-2024-23897). The LFI lets us read arbitrary files from the server, which is enough to enumerate Jenkins users, steal a password hash, crack it, log in as that user, and execute a Groovy reverse shell from the Script Console. The shell lands inside a Docker container. From there, the Jenkins home directory contains an encrypted SSH private key in credentials.xml. We use pwn_jenkins to decrypt it with master.key and hudson.util.Secret, then SSH in as root. ...

Next up: Analytics, an Easy Linux box. Pre-auth RCE on Metabase, Docker escape via environment variable credential leak, and a kernel exploit chain for root. Machine info Name Analytics Platform HackTheBox OS Linux Difficulty Easy TL;DR Metabase 0.46.6 vulnerable to pre-auth RCE (CVE-2023-38646) Initial shell lands inside a Docker container Environment variables leak SSH credentials (metalytics:An4lytics_ds20223#) SSH to the host as metalytics, then kernel exploit CVE-2023-2640 + CVE-2023-32629 (overlayfs) for root Recon RustScan + Nmap 1 rustscan -a 10.129.21.240 -- -sV -sC -Pn -A ...