-brightgreen){kind=icon}
The mad-hatter pipeline is configured in a separate repository (Wonderland/mad-hatter-pipeline) from where the application code is stored at. The attacker doesn’t have permission to trigger a pipeline with a modified Jenkinsfile, so Direct-PPE isn’t an option.
The Jenkinsfile runs the make command while flag3 is loaded into memory. Execute an Indirect-PPE attack by modifying the Makefile and exfiltrate the flag.
-
Modify the Makefile in the main branch under the Wonderland/mad-hatter repository to print flag3 to the console output of the Jenkins job (or send it to a host you control).
whoami: echo "${FLAG}" | base64 -
A pipeline will be triggered automatically. Access the console output of the executed job to get the encoded secret.
