Avatar

Labs / Snapchat Exposed

  • Daily Challenge
  • Released 02 Jul 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

Snapchat Exposed - Complete Solution Walkthrough

Step 1: Network Discovery and Reconnaissance

  1. Begin by performing a comprehensive network scan to discover all services running on the target system:
nmap -Pn -sS -sV -p- <target-ip>
  1. The scan reveals two open ports:
  • Port 80: Running nginx web server
  • Port 8080: Running Jetty (Java-based web server), which is commonly used by Jenkins
  1. Perform more detailed scans on the discovered ports:
nmap -Pn -sS -sV -p 80,8080 --script=http-title,http-headers <target-ip>
  1. Key discovery: Port 8080 is running Jenkins version 2.387.3

Step 2: Web Service Investigation

  1. Examine the nginx service on port 80:
curl -I http://<target-ip>:80
  1. Access the web page to see the challenge description:
curl http://<target-ip>:80
  1. Investigate the Jenkins service on port 8080:
curl -I http://<target-ip>:8080
  1. Critical discovery: Jenkins is accessible without authentication, indicating a security misconfiguration

Step 3: Jenkins Enumeration and Exploitation

  1. Navigate to the Jenkins dashboard in your browser:
http://<target-ip>:8080
  1. Security issue: Jenkins is running without authentication enabled, which is a critical misconfiguration
  2. On the Jenkins dashboard, you'll see a job named "BuildMe"
  3. Click on the BuildMe job and then click Configure to examine the build configuration
  4. Critical discovery: The build script contains cat /flag.txt, which will output the flag when the job is executed

Step 4: Flag Extraction

  1. Since Jenkins is unsecured, you can trigger the build job to execute the shell command:
  • Click on the BuildMe job
  • Click Build Now to trigger a new build
  • Wait for the build to complete (it should finish quickly)
  1. Once the build completes:
  • Click on the build number (e.g., #1) in the build history
  • Click Console Output to view the build logs
  1. Flag found in the console output:
Started by user anonymous
Building in workspace /var/jenkins_home/workspace/BuildMe
[BuildMe] $ /bin/sh -xe /tmp/jenkins1234567890.sh
+ cat /flag.txt
fe35b52a-165b-4067-8aaa-ddef7d068ed4
Finished: SUCCESS
  1. Flag Found: fe35b52a-165b-4067-8aaa-ddef7d068ed4

Alternative Methods

  1. Direct file access (if available):
curl http://<target-ip>:8080/flag.txt
  1. Jenkins Script Console (if you have administrative access):
println new File('/flag.txt').text

Security Implications

  • Unsecured Jenkins: Running Jenkins without authentication is a critical security vulnerability
  • Arbitrary Code Execution: The ability to execute shell commands through build jobs can lead to full system compromise
  • Privilege Escalation: Jenkins typically runs with elevated privileges, making this vulnerability even more dangerous
  • Data Exposure: Sensitive files and system information can be accessed through build scripts

Real-World Impact

This type of misconfiguration is commonly found in real-world environments and has led to numerous security breaches:

  • Code Repository Access: Attackers can clone private repositories and steal intellectual property
  • Credential Theft: Access to environment variables and stored credentials
  • Infrastructure Compromise: Ability to deploy malicious code or access other systems
  • Data Breaches: Access to sensitive data and configuration files

Prevention and Best Practices

Security Recommendations

  • Enable Authentication: Always configure proper authentication for Jenkins
  • Role-Based Access Control: Implement RBAC to limit user permissions
  • Network Segmentation: Isolate Jenkins servers from production networks
  • Regular Auditing: Monitor build logs and job configurations

Monitoring and Detection

  • Monitor for unauthorized access attempts
  • Log all build executions and configuration changes
  • Implement intrusion detection for unusual build patterns
  • Regular security assessments of CI/CD pipelines

Key Learning Points

  • Network Discovery: Always perform comprehensive port scanning to identify all services
  • Service Enumeration: Gather detailed information about discovered services
  • Security Misconfigurations: Unsecured services are common attack vectors
  • CI/CD Security: Automation platforms require careful security configuration
  • Privilege Escalation: Understand how service privileges can be exploited
  • Shell Command Execution: Web interfaces can provide access to system commands
  • DevOps Security: Automation tools require the same security considerations as other systems
  • Real-World Scenarios: This type of misconfiguration is common in production environments

Tools Used

  • nmap - Network reconnaissance and service discovery
  • curl - Web service enumeration
  • Web browser - Jenkins interface access
  • Jenkins Web Interface - Job configuration analysis and execution
  • Build Console - Output analysis and flag extraction

Challenge Summary

This challenge demonstrates a realistic attack scenario involving:

  1. Network reconnaissance to identify Jenkins services
  2. Discovery of security misconfigurations (unsecured Jenkins)
  3. Exploitation of CI/CD automation for command execution
  4. Flag extraction through build job execution
  5. Understanding of real-world DevOps security risks