AoC3 Day 14: Exploiting the CI/CD Pipeline


If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

Types of Challenges

The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:


Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

Clicking “Save File”

And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.


TryHackMe; Advent of Cyber 3; Day 14 Walkthrough

Day 14 concentrates on the Continuous Integration/Continuous Deployment pipeline, and how risks associated with it can be leveraged by an attacker due to a misconfiguration or oversight.

Because we’ll be attempting to exploit a webpage in this challenge, the first thing we will do is visit the target machine’s IP address in our browser. We’re presented with a static page.

To look for other points of entry, we will use the “dirb” CLI tool that was used earlier in the AoC event. We will supply dirb with the “common.txt” wordlist to test for the most common directory names. Waiting a few moments will reveal a positive hit on the “/admin” URL.

Note: Revisiting this terminal window later will reveal the number of pages that dirb found with its default wordlist, but its best to leave it running in the background while you continue on with the rest of the challenge.

Visiting the /admin URL presents a seemingly more dynamic page, but to know for sure we’ll use our browser’s inspector tools (F12) to view the source code. We can see the box and list of files from the webpage is generated using an iframe HTML object, which allows another document to be embedded into the current HTML document.

Using the credentials provided in the challenge, connect to the target machine via SSH.

ssh mcskidy@<target IP>

Navigate to the /home/thegrinch/scripts directory and run “ls -la” to view its contents and their permissions. This will also reveal the number of scripts contained in the folder. Because we’re logged in as “mcskidy”, “loot.sh” appears to be the only file we will be able to view.

Let’s print the contents of loot.sh to the terminal using “cat”, which tells us more about “ls.html” – the document that was being embedded into the /admin webpage using an iframe.

Because we are able to alter loot.sh, we can change what’s being displayed within ls.html. Let’s use a text editor to change the input from “ls /home/thegrinch/loot” to “cat /etc/shadow”. Using Vim, press the “Insert” key to edit the document, and then press “Esc”, “:”, “w”, “q”, and finally, “Enter” to quit and save your changes. Give the target machine a few moments for the changes to the script to propagate to our webpage. Ensure you are doing a full refresh by pressing “Ctrl” + “F5”. This will rev3eal the five characters following $6$G in pepper’s password hash.

Using this same method, we can use the loot.sh script to write the contents of the other scripts stored in /home/thegrinch/scripts that we normally would not have access to, one of these being “check.sh”:

As stated in the challenge, check.sh appears to be checking for the existence of “remindme.txt” in the /home/thegrinch/loot directory, and prints “ELFSareFast” (our “Grinch” user’s password) to /pass.html if found.

We can create this file using the “touch” command:

touch /home/thegrinch/loot/remindme.txt

The “check.sh” script is executable by any user, so we will run it simply by typing the file name and hitting “Enter”. Navigating to <target IP>/pass.html should now have been created and contain the password.

You can continue to use this method in order to print the contents of the flag.txt file on the Grinch user’s Destkop directory to the webpage, but I chose to instead utilize the newly retrieved password for a new SSH session. Type in “exit”, hit “Enter” and initiate a new SSH session, this time logging in as “thegrinch”:

Because the user “thegrinch” is a super user, we can use an elevated “cat” command to retrieve the contents of flag.txt: