capture the flag, hacking

@RealTryHackMe #AdventOfCyber Series: Challenge 14 – Dev(Insecure)Ops #TisTheSeasonForHacking

Another day, another challenge…

In this post, we’re starting a new series the Advent of Cyber series that is hosted by TryHackMe. This is the third year of the Advent of Cyber where a challenge is released everyday leading to Christmas. In total there will be 25 challenges. In these challenges, we’re McSkidy an elf trying to save Christmas.

In our fourteenth challenge, we’re presented with a scenario where the CI/CD server has been compromised, and all updates to the website are terminated. Oh no!

The topics explored in this challenge are Continuous Integration/Continuous Delivery (CI/CD) which is a process to push code in a streamline, iterative fashion during the development lifecycle. Without this process code would be pushed manually which could present challenge if two developers are working on the same piece of code and check in the code at the same time. How would you know which code is the correct one? CI/CD makes this process easy to handle.

There are common CI/CD tools such as Jenkins, GitLab, and Bamboo. While CI/CD is great it does have its challenges. For instance, one such challenge is security misconfigurations. This is where the server is misconfigured to be too permissive – or allow too much access. Another misconfiguration is where secrets are not stored properly and are available in public view. These misconfigurations will be helpful in our challenge with our CI/CD server.

Can McSkidy use the information learned about security misconfigurations with CI/CD servers to get the web server back on track? Find out below!

If you enjoy my content, buy me a coffee. Link –>

Leave a Reply