Lab Icon

Snapchat Exposed

Challenge 02 Jul 2025 Pro Exclusive Solution Available

Start the machine, hack the system, and find the hidden flags to complete this challenge and earn points!

1
Flags
5
Points
75%
Success Rate
Start Your Challenge
~1-2 min setup
Dedicated server
Private instance
Industry standard
This solution is for Flags Mode

This walkthrough explains how to hack the lab and capture the flags. For help with Learning Mode questions, use the Request Hint button next to each question.

Challenge

Snapchat Exposed - Complete Solution Walkthrough

Step 1: Network Discovery and Reconnaissance

  1. Begin by performing a comprehensive network scan to discover all services running on the target system:
nmap -Pn -sS -sV -p- <target-ip>
  1. The scan reveals two open ports:
  • Port 80: Running nginx web server
  • Port 8080: Running Jetty (Java-based web server), which is commonly used by Jenkins
  1. Perform more detailed scans on the discovered ports:
nmap -Pn -sS -sV -p 80,8080 --script=http-title,http-headers <target-ip>
  1. Key discovery: Port 8080 is running Jenkins version 2.387.3

Step 2: Web Service Investigation

  1. Examine the nginx service on port 80:
curl -I http://<target-ip>:80
  1. Access the web page to see the challenge description:
curl http://<target-ip>:80
  1. Investigate the Jenkins service on port 8080:
curl -I http://<target-ip>:8080
  1. Critical discovery: Jenkins is accessible without authentication, indicating a security misconfiguration

Step 3: Jenkins Enumeration and Exploitation

  1. Navigate to the Jenkins dashboard in your browser:
http://<target-ip>:8080
  1. Security issue: Jenkins is running without authentication enabled, which is a critical misconfiguration
  2. On the Jenkins dashboard, you'll see a job named "BuildMe"
  3. Click on the BuildMe job and then click Configure to examine the build configuration
  4. Critical discovery: The build script contains cat /flag.txt, which will output the flag when the job is executed

Step 4: Flag Extraction

  1. Since Jenkins is unsecured, you can trigger the build job to execute the shell command:
  • Click on the BuildMe job
  • Click Build Now to trigger a new build
  • Wait for the build to complete (it should finish quickly)
  1. Once the build completes:
  • Click on the build number (e.g., #1) in the build history
  • Click Console Output to view the build logs
  1. Flag found in the console output:
Started by user anonymous
Building in workspace /var/jenkins_home/workspace/BuildMe
[BuildMe] $ /bin/sh -xe /tmp/jenkins1234567890.sh
+ cat /flag.txt
fe35b52a-165b-4067-8aaa-ddef7d068ed4
Finished: SUCCESS
  1. Flag Found: fe35b52a-165b-4067-8aaa-ddef7d068ed4

Alternative Methods

  1. Direct file access (if available):
curl http://<target-ip>:8080/flag.txt
  1. Jenkins Script Console (if you have administrative access):
println new File('/flag.txt').text

Security Implications

  • Unsecured Jenkins: Running Jenkins without authentication is a critical security vulnerability
  • Arbitrary Code Execution: The ability to execute shell commands through build jobs can lead to full system compromise
  • Privilege Escalation: Jenkins typically runs with elevated privileges, making this vulnerability even more dangerous
  • Data Exposure: Sensitive files and system information can be accessed through build scripts

Real-World Impact

This type of misconfiguration is commonly found in real-world environments and has led to numerous security breaches:

  • Code Repository Access: Attackers can clone private repositories and steal intellectual property
  • Credential Theft: Access to environment variables and stored credentials
  • Infrastructure Compromise: Ability to deploy malicious code or access other systems
  • Data Breaches: Access to sensitive data and configuration files

Prevention and Best Practices

Security Recommendations

  • Enable Authentication: Always configure proper authentication for Jenkins
  • Role-Based Access Control: Implement RBAC to limit user permissions
  • Network Segmentation: Isolate Jenkins servers from production networks
  • Regular Auditing: Monitor build logs and job configurations

Monitoring and Detection

  • Monitor for unauthorized access attempts
  • Log all build executions and configuration changes
  • Implement intrusion detection for unusual build patterns
  • Regular security assessments of CI/CD pipelines

Key Learning Points

  • Network Discovery: Always perform comprehensive port scanning to identify all services
  • Service Enumeration: Gather detailed information about discovered services
  • Security Misconfigurations: Unsecured services are common attack vectors
  • CI/CD Security: Automation platforms require careful security configuration
  • Privilege Escalation: Understand how service privileges can be exploited
  • Shell Command Execution: Web interfaces can provide access to system commands
  • DevOps Security: Automation tools require the same security considerations as other systems
  • Real-World Scenarios: This type of misconfiguration is common in production environments

Tools Used

  • nmap - Network reconnaissance and service discovery
  • curl - Web service enumeration
  • Web browser - Jenkins interface access
  • Jenkins Web Interface - Job configuration analysis and execution
  • Build Console - Output analysis and flag extraction

Challenge Summary

This challenge demonstrates a realistic attack scenario involving:

  1. Network reconnaissance to identify Jenkins services
  2. Discovery of security misconfigurations (unsecured Jenkins)
  3. Exploitation of CI/CD automation for command execution
  4. Flag extraction through build job execution
  5. Understanding of real-world DevOps security risks