TryHackMe: Advent of Cyber 2023 (Day 21) Yule be Poisoned: A Pipeline of Insecure Code!

Samantha
3 min readDec 28, 2023

--

“One of the main reasons for acquiring AntarctiCrafts was for their crafty automation in gift-giving, wrapping, and crafting. After securing their automation, they discovered other parts of their CI/CD environment that are used to build and extend their pipeline. An attacker can abuse these build systems to indirectly poison the previously secured pipeline.”

Q1: What Linux kernel version is the Jenkins node?

I started by logging into Gitea and checking out the two repositories. In the gift-wrapper-pipeline repository there is a Jenkinsfile, which can run shell commands (check out line 13).

However, this can’t be easily modified because the repository is protected (a nice surprise knowing the elves), so we have to try a side route.

Instead, we can modify the Makefile in the other repository.

Clone that repository to create a local copy.

You’ll notice the Makefile just runs the to_pip.sh script, but we can edit it to do other things.

I used nano to modify it with the uname-a command.

I used git add and then checked the status to confirm my modifications.

Then used git commit with my message.

Finally, I pushed my changes.

Now, since we have access to the Jenkins admin panel with the provided credentials, we can initiate a new build immediately from gift-wrapper-build> gift-wrapper-pipeline> main by pressing the green play button.

If you then click on main you can see the last build was successful a short while ago.

Click on the last build link, and then click Console Output on the left.

If you scroll down and read through the output, you will eventually see your command and the response.

Q2: What value is found from /var/lib/jenkins/secret.key?

This entire process can be repeated using a different command to find the next answer.

Rebuild again and then check the output:

--

--

Samantha

CTF writeups to facilitate cyber education and help me earn CPEs