#devsecops-path

🚨

Look at those awesome badges, time to unlock them

Let’s gooo

Already did 50% from the path

Aligns perfectly with your Discord name. 😄

For the Container Vulnerabilities ( https://tryhackme.com/room/containervulnerabilitiesdq ) room, there does not seem to be a machine attached to any task.

I did container vulnerabilities before, it got reset and now there is not button to start the machine

Ah yes, should be: https://tryhackme.com/room/containervulnerabilitiesDG
We'll change the link. Thank you for reporting.

Gave +1 Rep to @acoustic path (current: #169 - 36)

On it!

that is the correct link, thanks

Gave +1 Rep to @young yew (current: #16 - 431)

Fast pace, high agility, and as flexible as an Elastic AWS IP. 😄

I love the little SDLC droid game

cool idea for sure haha

I'm sure it won't be a high score but I ended up with $4,864,103.33

I think @fleet briar got the record when the room first released

wow, something new and shiny!

thank you THM staff for the new pathway ❤️

I remember that room, I got hint from room creator, got a record, then got broken few minutes later!! many figured out the key to the bank

Same here

its fixed now, refresh the path page to see the correct room link

Okay, I just logged out. I am going to retry.

I just completed the DevOps Learning Path but was not issued any badges. Have you received your badges?

If it's for rooms you've already done, you might need to reset your progress and put the answers in again

(copy and paste)

No need to reset progress, I got all budges

Well a user didn't.

And that's how you fix it.

there are 5 rooms that have budges

I completed all of the rooms...

For example, I've done the first room but I don't have the badge.

I'll need to reset progress and re-do it to obtain the badge

oh

You correct I was thinking about something else, yes you need to reset

Okay

is not Container Vulnerabilities (the one you fix a link for it above) suppose to have a budge (on the room is not showing) https://tryhackme.com/room/containervulnerabilitiesDG

Hey, feel free to DM me if you still don't get the badge.

It worked. I just have to reset the rooms previously completed.

Thank you @atomic pine

Gave +1 Rep to @atomic pine (current: #51 - 138)

Thank you @fleet briar

Diplodocker badge on wrong room (not the correct one)

Good spot, should be fixed shortly. 🙂

now starting the room for module one, i love the artwork

thinking of trying to use Obsidian canvas for the whole learning path or a complete module. seeing how the whole picture approach works in this opposed to just a room standard model i use.

well- i think i figured out how to break the sdlc factory game, i hope the company is happy w/ my return on investment...

Well done. Capital gains tax is 10%, so you owe us 1,701,031,670.33 😉

well uhh- i did it again and doubled the previous so, i'll get my accountant on those taxes right away!

Double that and you can buy Twitter. 😄

3rd times the charm and im moving on i promise haha im sure someone will top this soon enough tho

I seemed to be lost again. Which room is the Diplodocker badge attached to?

They still did not fix it yet, it suppose to be on https://tryhackme.com/room/containervulnerabilitiesDG

and it show on wrong room https://tryhackme.com/room/containervulnerabilitiesdq

There must be two active versions.

Well I guess they will sort this out tomorrow.

It's fixed now

Thank you.

Gave +1 Rep to @marble dune (current: #2011 - 1)

🎉 diplodocker badge was essential 🙂

right up my alley this path

saying DevSecOps is cool to say, another factor

Really enjoyed the star wars theme for the Secure Software Depolyment part

https://tenor.com/view/hasbulla-money-gif-25191018

This factory game is so addictive

I legit make a startup

Oh my goodness, well I knew this day would come lmao it is way more fun than I expected it to be honestly

Yea

This is a reply from the reddit regarding when they complete the DevSecOps path

So far I am enjoying it.

Did Anyone else struggle with cloning the uscss-nostromo repo within the source code security room?
If I paste the ssh url, the hostname can't be resolved:

Anyone got answer to this question ?
Room: https://tryhackme.com/room/sourcecodesecurity
Task 4: Where do Cloud-Based VCS store code?

Yes. Just use the bowser URL with the IP address. Mine was https://10-10-xx-xxx.p.thmlabs.com/gitlab-instance-dc881f3b/uscss-nostromo.git

That one got me aswell. Try the plural of repository

Doh! . The hint is very poor, asking me to search online.

The instructions for task 7 has inconsistency. At one place it says GITLAB_USERNAME then later it says NOSTROMO_USERNAME. The pipeline didn't run either.

Thank you, but I tried various variations in the past hour and can't make it work. 😦
Am I thinking right?
git clone <mail specified within pubkey>:<URL with IP>/gitlab-instance-dc881f3b/uscss-nostromo.git

Gave +1 Rep to @fading juniper (current: #2015 - 1)

just git clone https://10-10-xx-xxx.p.thmlabs.com/gitlab-instance-dc881f3b/uscss-nostromo.git
I think the ssh step is not even needed. Use the username and password TryHackMe/TryHackMe!

ty, I'll use it as a workaround then.:)

Hi guys, i've just started the new training path, looks cool

in the ssdlc there is this section mentioned
"Invest in security training for engineers as well as appropriate tools. Ensure people are aware of new processes and the tools that will come with them to operationalise them, and invest in training early, ideally before establishing / onboarding the tool."

since they have recommendation for toolings here, I wonder if there is a recommendation for what sort security training available.

There are training for secure coding available. One I know is Secure Code Warriors. You can also cobble together your own course from open, free online resources.

Hello! About the Source code security room, how do you validate Task n°7? I've tried to use the same flag as Task n°8 with no success, and I have no idea where there could be another flag. Thanks in advance!

Same here. Not sure if I'm missing something but cannot find the 'hidden flag'

Hi again! I'm having an issue with the CI/CD and Build Security room. When I follow Task 9 and try to merge with the DEV branch, the pipeline fails, and no jobs are launched:

I've checked the gitlab file in that branch, and there seems to have an indentation problem:
EDIT: fixed

How do I pass this "production of the droids" game?

Hi! Personally, I assumed that the number of sprints is for the entire year, so you can start with cranking that parameter up!

Is the Source Code Security room not working? The cloning via ssh seems not to work in task 7. And it says there that you should replace username and password with environment variables first and then later that we had used an environment variable for the API URL, too. The whole task 7 is rather confusing.

Use the url address instead

Yes, I have already cloned via http, but thanks anyway

Gave +1 Rep to @sacred atlas (current: #2022 - 1)

Is the hidden flag for task 7 in Source Code Security even there? EDIT: Found it

If you have not found it yet: In The USCSS-Nostromo project go to Repository -> Graph. There it is on the right, the 4th from the top

Wow, I never would've looked there! Thanks!

Gave +1 Rep to @frosty iris (current: #2022 - 1)

Hello, I am stucked when creating a branch using git clone / git checkout -b. All ok to copy URL and git clone. But when using git checkout -b I receive the message: not a git repository. Any help, please?: SOLVED

Small typo (ARD instead of ADR) in the SDLC room (task 3):

A document called an Architecture Design Review (ARD) is typically created by engineers

hey. 2nd q should be with flag -d

https://tryhackme.com/room/introtodockerk8pdqk

Refresh your page, there are times where if your answer is 95% correct it will accept it

TADA you just hit the answer tolerance

It's already available

Task 7 https://tryhackme.com/room/containervulnerabilitiesDG

Thanks for the awesome content. I really enjoyed it. It's probably the best learning path right now and very interactive. Good luck everyone!

Thanks so much for your feedback!

Gave +1 Rep to @jagged yew (current: #2023 - 1)

I forgot the password for my username after ssh into mother and can't authenticate. Is there a way to reset the password.

No, but don't worry, you can just create another account, it will work the same! (Source: that's what I did when I was in your situation)

So the name doesn't need to match my real pofile name?

Nope!

Is the Jenkins server running. I am stuck in Task 6 as Jenkins is not calling my python webserver after submitting the merge. If I browse to jenkins.tryhackme.loc all I get is the default apache page.

Anyone had issues with CI/CD and Build security room task 6 ? Im currently trying to get reverse shell, but nothing comes back, server downloads my shell but thats about it...

got it fixed, with proper shell command

I just finished this task and moved on to task 7. Having issues with getting meterpreter connection
[-] Meterpreter session 1 is not valid and will be closed
[*] 10.200.13.160 - Meterpreter session 1 closed.

Well instead of using my VM I tried on the attack box and it works fine not sure why my VM is having issues

in the first lab in ci/cd build security I did the sudo echo and updated the /etc/hosts and still no gitlab page is coming? Anyone can help please? Stuck here

Did you install the network vpn from the access page?

ok do I have to do that or not just from attack box?

nope you didn't need on the attackbox but do you have specified the correct IP address ? (I made this room this morning)
when you do an 'ip a' do you see the interface "cicd" ?

https://i.ibb.co/9T4mS8r/sdlc-factory-game.png

Having the same issue here. I'm using the Attack box, plugged in the respective ip's for gitlab.tryhackme.loc and jenkins.tryhackme.loc using the command provided, I have pinged the ip's as well and all packets were received but the http://gitlab.tryhackme.loc webpage isn't going through.

Can anyone help with this please. Thank you

I think the servers get blown up by somebody. You’ll need to vote to reset it.

I terminated my own attavkbox and started a new one. Seemed to work so that nvm what I said.

Still not working for me

@carmine axle were you able to figure out the sudo echo issue with the gitlab page

not able to connect to cicidbuildsecurity network

2024-04-14 12:09:47 --cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add '--data-ciphers-fallback BF-CBC' to your configuration and/or add BF-CBC to --data-ciphers.
2024-04-14 12:09:47 OpenVPN 2.5.9 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 29 2023
2024-04-14 12:09:47 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2024-04-14 12:09:47 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-04-14 12:09:47 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2024-04-14 12:09:47 TCP/UDP: Preserving recently used remote address: [AF_INET]52.208.87.208:1194
2024-04-14 12:09:47 Socket Buffers: R=[131072->131072] S=[16384->16384]
2024-04-14 12:09:47 Attempting to establish TCP connection with [AF_INET]52.208.87.208:1194 [nonblock]
2024-04-14 12:09:47 TCP: connect to [AF_INET]52.208.87.208:1194 failed: Connection refused
2024-04-14 12:09:47 SIGUSR1[connection failed(soft),init_instance] received, process restarting
2024-04-14 12:09:47 Restart pause, 5 second(s)
c^C2024-04-14 12:09:49 SIGINT[hard,init_instance] received, process exiting```

any idea what might be the issue

@jagged yew please interact with the community more before slef promotion please.

~~I have problem with task 6, how can you get the reverse shell?~~got it, wrong call-back IP smh

Hello, I need some help from security of pipeline in CI/ CD and build security room. It doesn't go http:// tryhackme.loc on Attackbox

did you add the ip to /etc/hosts?

any ideas how to get the reverse shell on task 9 of CI/CD & Build Security? not sure how to compromise the build agent~~~~ compromised the runner, not sure how to move to Dev and Prod~~ . The instruction needs to rewrite, but got it

Authenticate to mother and follow the process to claim flag 1. The steps then tell me to access jagent host and navigate to a directory.

How do I access the jagent host? I don’t see any reference of it anywhere

@opaque furnace Hello, I have a question about the room called container vulnerabilities.
can we meet on a voice channel when you have time time?

and thanks to your efforts in Container Vulnerabilities room

Post your question here - it's likely that someone will be able to help

I posted it before twice some weeks ago and cmnatic was the only one who can explain, it was a part of a long debate
@tepid pilot and ty for being interested
it is about namespaces and some containers stuff, we can join vc if you want. its kinda not a specific question

Gave +1 Rep to @tepid pilot (current: #623 - 6)

Please Help ... i am doing CI/CD And Build Security on TASK 9 my runner is Stuck .. and cannot be run

Is some1 can up vote to reset the machine

which subnet???

10.200.46

Got this ...

ah.... shadow is in 10.200.3

can't help with reset from there

is it's affect if my connection down ?

???

I lost my connection when doing that room, and i don't know what make the job is stuck and said no runner is available

and i check on environments is move to Stopped Tab

It's not on Available tab 😅

Wow ... it's Resetting .. Started now

Hi guys, in the Container Hardening room, this was mentioned

I guess there is a small misunderstanding here, no one can have a valid certificate (one that we trust) because we run our "own CA server" and it is the only entity that has the valid certificates of both client and server, which means someone should already have hacked the CA system to make his certificate valid and authenticate himself to the server

@tall pilot right?

@opaque furnace

@valid citrus

Hello everyone, is there any leaderboard for the 'SDLC Factory Game' I got a score which i guess could be, like maybe 5% chances, in the leaderboards.

There are no URLs in that message.

Hello there, it’s been roughly 2 hours, I try to figure out what the Source Code Security Task 7 USCSS Nostromo’s hidden flag is

I already found the hidden flag for Task 8

Some hints?

Thanks 🙏🏾🙏🏾🙏🏾

Gave +1 Rep to @frosty iris (current: #1388 - 2)

Hello guys, I connected to mother via ssh. When I select Register I receive “This user already exists” but if I select Authentication and I use my password for THM I receive “Incorrect username or password provided “. I never changed for THM. Which one should I use? I started this room last week but I got stuck. I try again this week. Thanks

The password in a room's machine would not be your THM password.
Try creating a user test with password test

CI/CD & Build Security Room: Task 6
Subnet 10.200.0.x

I'm not seeing the Jenkins agent make a request on my little http server. Is there any way to confirm that that webhook is going through? I'm not sure if I'm missing something or if the network is borked, but I've seen the net reset at least once in the last day and I'm still having the same issue. I don't imagine I need to set up a runner for the GitLab CI because that's not the target eh? Tried it anyway to no avail. halp pls

Okay figured that problem out, I was using the wrong IP lul. For you other kids like me, make sure to use the cicd ip (mentioned at the beginning of the room) not the attackBox ip.

Now I'm stuck at convincing MUTHUR that I got in, I don't really understand what needs to happen to get that part done?

Like

I've got root on the JAgent

how do I turn that into a flag 😭

This is going to follow me into my nightmares "This host cannot be used to verify the flag that you are selecting or your hostname is incorrect, hence the check cannot be performed. Please provide a different host to perform this check"

I knew where I was and everything

For other dummies, the host name muthur asks for is not an ip.

I'm on task 6 of the CI/CD and Build Security room and my situation appears to be that the git runner agent isn't running on the host to execute the malicious code as the scenario explains is supposed to happen. It looks like a lot of other folks have had the same problem per the comments above. Reading other comments I've used the CICD IP as instructed and I've tested the http server & nc listener via a separate shell...that part works. Besides if I was using the wrong IP or something the merge should still process in Gitlab, I just wouldn't get the reverse shell, but in Gitlab it even says the merge is "stuck" because there is no runner agent. Aside from the range being problematic and having to occasionally reset, this seems to be one issue that won't resolve itself after a couple days of trying, any other suggestions, solutions, or is this particular room just buggy and its a situation where some of us are luck and get a range that works and some aren't so lucky?

It’s been a good minute since I’ve done it now, but I think I recall the instructions being a little vague on the actual target for the merge - I think you need to target a different branch than the one you think

Sorry that’s all I can remember

thank you

Gave +1 Rep to @bronze gorge (current: #2182 - 1)

unfortunately you must have been recalling a different one, that advice doesn't apply to this task, I checked everything, the other projects within the Gitlab server, etc. Thanks for trying though.

Gave +1 Rep to @bronze gorge (current: #1451 - 2)

task 6 issues: I cannot get gitlab to call the webserver. I am using the cicd ip address (using vpn not attackbox). I confirmed the webserver/shell script/nc listener are working by navigating to the CICDIPADDRESS/shell.sh in a browser and getting a shell to my own machine. I have a gitlab runner configured for the forked project. I am not sure what I am missing.

I tried the attackbox and it isn't connecting to the same network. there is no cicd interface when checking the ip 🥺

Kali box also does not connect to the network. Guess I'm skipping this room.

Which room?

CI/CD and Build Security

Ah the network.

ze network indeed

Hi Does anyone know how to sign a docker container ?

im facing the same issue. Did you made any progress in meanwhile?

Nope, the attackbox/kali machine are not on the same network. VPN from my personal machine does not work either.

Is this a room problem? or a me problem?

Check that it's not a network room - what's the IP you're getting on the task-page?

It is a network, and I had connected to it via openvpn. When that wasn't working I tried the hackbox and kali box.

With networks, you'll need a network-specific VPN file (To use your own machine/VM)

Yah, I downloaded and used it

Hello, I'm in the CI/CD and build security room and I can't do task 2 of initializing the network. The message says that it “failed start to network.”

i've been trying to do CI/CD room all day too and many parts seem broken Task 6 the repo doesn't have a runner attached to it so you can make your own runner to complete the build but then that won't spawn the shell on the target machine

And task 8 dev is restricted like main

Also resets don't fully reset the network and mother still remembers the same registration

so task 6 9 and 10 don't seem completable right now

at least not for me. But the network is working again at least (from attack boxe)

I think the Room is broken. 😦

#ci-cd-and-build-security maybe this is the channel for that?

Aye maybe, didnt see that one but it's obv part of this path. In any case ill just vibe until its fized

Fixed*

Yeah. networks all have their own dedicated channel.

hi just gettin started on DevSecOps path hoping for the🫡 best

It has been updated with a patch, should be fixed now:)

🚀 ayee

Thanks.

Hi, the room is still broken for me.

Yesterday was ok. Went back to it today and it is broken. Already reseted the network.

Both with external VM or with AttackBox, the machines are not accessible (ping fails, and browser access to the GitLab link times out), even after the setup is all done.

Any idea? Or anyone with same problem?

Hey, thanks for reaching out. I replied on the CI/CD and build security channel ☺️

Gave +1 Rep to @pulsar mist (current: #2315 - 1)

You need to use cicd IP not the attackbox IP. you can get the cicd IP by doing ifconfig

Can anyone tell me if one can get job as DevOps engineer remotely being a fresher

Suggest posting this in #cyber-and-careers instead to get more feedback.

In Source Code Security task 7 there's a question "What is the hidden flag?", Could someone help what it means?

The task says to "Continue to the next task to retrieve the final flag! "

I completed the next task, but that flag only works for the next task.

Okay... I found a user that had an username that resembled a "flag". And it worked. That was weird.

I am trying the "CI/CD and Build Security" room (https://tryhackme.com/r/room/cicdandbuildsecurity) but I can't start the network. Error message: "Uh-no! Failed to start the network".
I see in the Chrome DevTools console that the server returns 403 Forbidden, when I push the button. Starting single subscriber VM:s seems to work. But not this network.

I also see this in the response. {"status":"error","message":"User is not in network"}

But I can ping 10.10.10.10 in the THM network and it is also works fine to view the web page at that address.

Hi everyone. I was doing https://tryhackme.com/r/room/introtok8s Task #8. It seems like when I run kubectl apply -f nginx-deployment.yaml the container is stuck at ContainerCreating status. kubectl describe pod returns following error " Warning FailedMount 119s (x14 over 14m) kubelet MountVolume.SetUp failed for volume "webapp-volume" : configmap "webapp-config" not found ". If someone has faced this issue before, please help

Hello, someone could let me know if in the room "cicdandbuildsecurity" is possible to reset our THM user login on 'mother' ?

Kinda misclick when copied the password and only notice now that I need to continue the room. also, was dumb enough to close the terminal

https://tryhackme.com/room/containervulnerabilitiesDG

this room is lacking details. First of all, please mention when i ssh into the host, where am I? in a container? or do i need to create a container to exec into it. So vague. Task 2 is also, very vague.

hi, why Hackfinity Battle Task 36 decrypt data show the An error occurred (AccessDeniedException) when calling the Decrypt operation: xxxx is not authorized to perform: kms:Decrypt on resource: xxxx because no identity-based policy allows the kms:Decrypt action ?

No hints are allowed for #1347217239492919346

is this diagram correct for stateful sets? looks like the author means that replicas are writing to the database. then what is the replication for then? I think the arrows for replicas should be going the other way, since the replica pods can read but not write.

Have you guys been enjoying this path? Pros or Cons? TY

following this thread

Yeah , I enjoyed it . There're no pros and cons , it depends whether you want to pursue this career path or not 🙂

awesome, it worked!!! thanks

Gave +1 Rep to @dense willow (current: #1 - 4492)

Hello all, I'm currently looking at task3 on https://tryhackme.com/room/containervulnerabilitiesDG. I don't really understand the cgroup things and how the exploit "execute" and how the cat /home/cmnatic/flag.txt > $host_path/flag.txt will "magically" execute on the host

also, bonus question 🤓 : I don't get the difference between a kernel cgroup and a kernel namespace

Hey team,
Introduction to DevSecOps > Task 3 > Infrastructure As Code

I think it should be "which helps in consistent resource creation and management." instead of "which helps inconsistent resource creation and management."

You are right, fixed, thx 🙂

Gave +1 Rep to @hasty moss (current: #2873 - 1)

Hey Team,
Introduction to DevSecOps > Task 4 > Why are we shifting left

"With DevOps, security gets to be introduced early in the development cycle and this minimizes risks massively."
Here "DevOps" might need to be replaced with "DevSecOps" 😅

Hello ! Is there a leaderboard for the SDLC Factory game ?

.

hi guys im new here i need hackers and spammer friends sendme a PM

Hi guys, i am new here, i follow the path but in "Securing the Build Environment" y don't know what happen , when i found the sensitive data and run ssh just say the key verification failed

could you give me a hint!?

https://www.techworld-with-nana.com/post/from-full-stack-to-devops-engineer?utm_source=linkedin.com&utm_medium=social&utm_campaign=post-quick-peek-twn-overview-2025

hi melmolss
task 4 on the cicd build and security network doesn't seem to work , its forever pending.
is there any chanve it could get fixed?

there also seem to be other issues in the other tasks, and i have spent quite alot of time trying to figure it all out but iam merely a beginner mannnnnn

i will have to move on from the room to do the other rooms and things until its fixed

i have learnt alot from it still however and i appreciate the efforts you guys put into it

Hi @untold rose ! Thank you so much for the feedback! I will look into it now. Thank you for your patience and the kind words

Gave +1 Rep to @untold rose (current: #3100 - 1)

thank you so much melmols, it is an honour.
let me know of any updates to the room, iam excited to give it another crack

Gave +1 Rep to @tender kite (current: #517 - 13)

CI/CD and Build Security

Do I have to register a new GitLab account for this room? Can I not use my existing account because when I try to log in with it, it says the credentials are invalid? They definitely work though as I have logged out and back in again on the usual gitlab site that is not in the network 🤔

Finally realised after coming back to it, I can use the details provided when setting up via SSH

CI/CD and Build Security | Task 4

After completing the build process. Navigating to http[://]127.0.0.1:8081/ the web application does not load.

I just get the error in the image.

-# I have enabled local network permissions for Firefox.

Hello community,

I'm new here, so please correct me if I'm posting in the wrong channel or misunderstanding something.

I'm currently working on the "CI/CD and Build Security" room from the "DevSecOps > Security of the Pipeline > CI/CD and Build Security" learning path.
Specifically, I'm stuck on the "Securing the Build Process" task.

The task requires making a Jenkins worker connect to the attack box machine by retrieving a reverse shell script for it first.
To achieve this, I folled by the task: created a script shell.sh, started a Python HTTP server with python3 -m http.server 8080 and then ran nc -lvp 8081 in another tab.

After updating the pipeline and creating a merge request (MR) from my fork to the original project, the attack box machine never receives any connections.

After several hours of investigation (in different days), I checked the Jenkins logs for the worker execution related to my MR where I found "Connection timeout" error after curl tried to connect to my attack box.

Interestingly, I did notice unrelated connections to port 8080 from what appear to be external IPs (not 10.10.*.*), likely from bots performing random scans — these occur before or after my pipeline fails.

I've tried:

• different attack boxes (both Standard and web-based Kali Linux)
• disabled the firewall with iptables -F
• retried the task on different days with freshly reset environments

The result is always the same.

May it happens because Jenkins and GitLab are on the 10.200.60.* network, while the attack boxes are on 10.10.*.*?
Could someone, please, help me understand whether I'm missing something in the assignment, or if this might be an environment-related issue?

Thank you in advance for your help!

Hello everyone.
I have a problem with CI/CD and build security lab.
In the devsecops path
Can anyone give some help plz ?
The problem is when I configure the pipeline build runner .
There is an error : Job failed : prepare environment: exit status 1

I have the exact same problem.
Earlier when I try to install the dependencies, I get a failure when trying to "sudo apt install php7.2-cli".

This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Package 'php7.2-cli' has no installation candidate```

Everything else seemed to work fine, I was able to register with Mother (MU-TH-UR 6000) and get credentials.
I was able to create an account on GitLab, Fork the Main, successfully add the attack box as a Runner, and update ReadMe.md to trigger the test of the build process.
But my Tests Fail.
I think it is because my Runner (the AttackBox) was not able to install 'php7.2-cli'.

Any ideas on how to fix this?

FIXED: this was the post that helped: #room-help message

  on ip-10-201-69-207 sd6PvzNe_, system ID: s_e6273792a6a3
Preparing the "shell" executor
Using Shell (bash) executor...
Preparing environment
Running on ip-10-201-69-207...
ERROR: Job failed: prepare environment: exit status 1. Check https://docs.gitlab.com/runner/shells/#shell-profile-loading for more information```

I found my fix...
#room-help message

This post here was the most help in resolving the problem.
#room-help message

big thanks to @median oak for his awesome assist.

Yeah this is the error. 😅

In the CI/CD Building & security. I couldn't receive the http request that I mentioned in the Jenkins file.
Is there anyone who had the same issue?

I’m having the same issue. Were you able to fix it?

did you fix it bro ? should i change the command line or what ?

Unfortunately, no. I skipped the room for now.

Try to use the ip in the CI/CD network if you search with "ip a" for it, and use this ip address for the attacker ip in the shell.sh and the Jenkins file.

Thank you for the reply. But I'm afraid didn't get it.

I used attack box ip from ip a command. There were exactly my attack boxes ip addresses (from last couple attempts).
That is why I got stuck at that step.
After the failures I just skipped the task and moved to another in the same room.

In one of the tasks there was a Jenkins instance with a credentials, so during my last attempts I checked logs in the Jenkin job what after I changed Jenkinsfile.

That's how I found out it tried to download my shell.sh file via curl command using my ip address at that moment. However it failed with "Connection timeout" after a while.

Sorry for my explanation skill, it is not in a good shape.
Anyway, I've skipped the room and will return to it later.

Gave +1 Rep to @knotty hound (current: #3255 - 1)

same issue. Not sure what is the cause. Investigating.

P.S Found the root cause in my case on jenkins:

"
stdout:
stderr: remote: HTTP Basic: Access denied. The provided password or token is incorrect or your account has 2FA enabled and you must use a personal access token instead of a password. See http://gitlab.tryhackme.loc/help/topics/git/troubleshooting_git#error-on-git-fetch-http-basic-access-denied
fatal: Authentication failed for 'http://gitlab.tryhackme.loc/larry/Merge-Test.git/'

at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2842)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2185)
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$1.execute(CliGitAPIImpl.java:635)
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:997)
... 8 more

ERROR: Error fetching remote repo 'origin'
ERROR: Maximum checkout retry attempts reached, aborting
Finished: FAILURE
"

Checking possible fix.

Well, it seems it is failing to accept password or actually token is misconfigured. I tried to create new access token and apply it on jenkins end but didn't work. So I am thinking that maybe ssh instead of http will work. Meanwhile I just initiated reset for the network maybe after the second time everything will be configured as it should. After if issue is going to be still present will try with SSH over HTTP

I have found that sometimes Jenkins uses another user credentials and repository URL for cloning a codebase.
Since the same network is using by many people, the settings are overwritten for all.

For instance, a couple days ago I tried this room one more time. And when I sent MR to the "Merge Request" git repository in the Jenkins logs wrong attack box IP appeared.
It is strange, since the console output showed my Gitlab login but copied wrong git repository from another user.

The culprit was that Jenkins used another user credentials to connect to gitlab and statically set repository URL from that user.
Therefore I just change credentials and URL for the Jenkins agent to my own and it worked, but "connection timeout" error is still present.

If you stuck on Task 6 (if I'm not mistaken) with merge repository, maybe check the agent in Jenkins. Just click on the "configuration" menu and review it.
However, a reset of the network is better plan, I think.

I have tried network reset issue still persists. I also tried to configure SSH over http and it seems that issue with known hosts appeared as it cannot recognise gitlab as a known host. However will check with that agent maybe could check it.

anyone else here had/having that problem with On-Premises IaC room?

I'm stuck at task 7 https://tryhackme.com/room/onpremisesiac for some days now -- is this machine broken? vagrant up isn't working for example (on the other hand; in available walkthroughs it isn't even used), and when I try to relay the app IP through ssh I get: "channel 2: open failed: connect failed: Connection refused". In the end I am not able to access the app's web page no matter what

Question for the devops Path
Does the path teach me to Build a kubernetes Cluster Since its has a kubernetes Security Part or do I Need to learn k8s by myself First?

hi guys

Hello everyone, i need help in the room "CI/CD and Build Security" Task 6 https://tryhackme.com/room/cicdandbuildsecurity
it is about getting an RCE in a jenkins agent, i followed the process as described, checked everything multiple time but it still doesnt spawn the shell and when i check the pipeline execution i find this :

i am starting to think it is a problem in the room, but if anyone has any idea im listening

after checking jenkins i might have found why the jobs are failing, but i think it will be up to the thm staff to fix it :

in the pipeline that works this is the log

and this is from the run that doesnt work :

so the error is in authenticating through jenkins to the origin repo

I'm on the same task right now
How do you even access the Jenkins logs? All I'm getting is the Apache2 Default Page

through this link :
http://jenkins.tryhackme.loc:8080/
the credentials are jenkins:jenkins

you need to go to port 8080 i believe

ah cool, thank you!

you're welcome

I'll report back if I get it working for me

yes please, thanks !

hm given that jenkins just needs read access to the repo, maybe you can create your own access token

and add it to jenkins

have not been successful so far, but maybe that might work

the thing is the repo isn't ours, it is the origin repo (ash's repo)

so basically it is up to the staff of thm to setup the auth between the jenkins machines and the repo

or at least this is what i believe is the problem

I got it working

you need to overwrite the jenkins credential with an access token you create yourself

read-access to the repo is enough, you don't need to be the owner

its just hidden as fuck lol

update that one with your own token

sorry for the late reply i just hopped back on try hack me

i just tried it and yeah ! it works !!

i don't understand how our personal token gives it access but im really glad it works

thank you !! @cold terrace

jenkins just needs to be able to read the repository

and because we can read it, it's enough to create a token with our permissions

and to give it to jenkins

neither we nor jenkins need to be the owner of the repo :)

Aha i see, i thought it needs to have owner access to the repo, thank you for the explanation !

@cold terrace thank you for these pointers! I was able to complete the lab 6.
After creating Personal Access Token (PAT) in gitlab under "User Settings", "read_api" and plugged it in in jenkins/credentials as you pointed out.

2nd mistake I was doing was in the 'Jenkinsfile' and 'shell.sh' for the 'attacker ip' was putting 10.66.x.x. It should've been 'cicd' interface IP address 10.150.x.x/24.

a good test to see which IP is reachable to gitlab is "ping -I cicd gitlab.tryhackme.loc". None other interface could reach those, so that was an a noob mistake

Gave +1 Rep to @cold terrace (current: #3515 - 1)

Hey, which skill level is required? Whats the Goal of your Team?
I'm new to all this but I'am up to gain experience

@last sapphire it is open for all even beginners are welcome

Tks for all advices here for repair the Task 6 Securing the Build Process.

can anyone help me i having difficulty getting http://gitlab.tryhackme.loc to work. I followed the steps and added the Ip of the gitlab and jenkins to etc/hosts but am getting server timeout error

Do you have the cicd interface up and running? I had the exact same problem, and after a few tries restarting the attackbox I got the interface up and running

nope

did you restart the entire lab over and over again until it worked?

i can’t get this lab to work task 3. Setting up lab to work

Yes 😤

If you're using the VPN, it's a different vpn config file

This is how it looked for me this morning:
root@ip-10-82-102-202:~# nmcli device status
DEVICE TYPE STATE CONNECTION
docker0 bridge unmanaged --
ens5 ethernet unmanaged --
veth07af59e ethernet unmanaged --
veth570563d ethernet unmanaged --
lo loopback unmanaged --
The VPN interface is missing and I can connect to Gitlab nor Jenkins

anyone else having issues on the intro to k8s room? ran ```kubectl apply -f nginx-service.yaml

kubectl apply -f nginx-deployment.yaml thenkubectl get pods -A``` every so often, and it's been sitting in status ContainerCreating for the last 45m

ah, the mount location /usr/share/nginx doesn't exist as specified in the nginx-deployment.yaml. kind of makes the rest of the room not possible to do

same currently right now it’s telling me this

sudo: unable to resolve host ip-10-65-119-80: Name or service not known

Does anyone know how to reset the password on MU-TH-UR 6000? I started the CI/CD and Build Security room last year some time, got in a muddle with Jenkins (I may have missed a step somewhere), so I have decided to give it another go. It's the last room I need to complete to finish the DevSecOps path. I started everything up just now, and have got as far as logging into MU-TH-UR. I expected to have to reregister, but it says my name is already in use. OK, that's fine, I still have the password from before. But that's not working. It just keeps repeating "Incorrect username or password provided, please try again". Echo is proving to be no help, and the chatbot on the THM website doesn't seem to have any suitable options. So I'm a bit stuck until I can fix this. Hopefully, somebody can point me in the right direction. Thanks.

Just register a new account and you should be good.

Thanks. I'm going to try that over the weekend.

Registering the new account worked fine for getting into MU-TH-UR. Thanks.

Gave +1 Rep to @full knot (current: #3708 - 1)

With my new MU-TH-UR account working, I started the room over again, and have wound up stuck in Task 6 exactly as I was last year when I had to walk away from the room in frustration. Essentially, the Merge Request doesn't work. The Jenkins pipeline never seems to run, so there is no connection back to the web server, and the shell script isn't collected, and the connection to the nc listener never happens. What is so frustrating, is that I have found three YouTube videos that show it should work. I cannot for the life of me figure out the problem. (Video links for reference - https://www.youtube.com/watch?v=llft0QFVPPw, https://www.youtube.com/watch?v=Yz8MclV03MA, https://www.youtube.com/watch?v=VaZUvZtqAiI) The error message made mention of no available runners to service the 'Merge Test' pipeline, but this seems weird because this should be running on the 'JAgent' box, not my github-runner on the Attack Box. (I did add another runner to the Merge Test fork, but it made no difference.) Sorry, no screenshot as the attack box died while I was typing this message, which just says it all with how this is going after spending 3hrs on it today, and making absolutely zero progress 😢

Hey Everyone! A little help in the CI/CD and Build Security room please!

I started off with using my own machine with OPENVPN

1. Registered with MOTHER
2. Created an account on gitlabs from the Tryhackme.loc link

Then I got to know that I’ve to run a web server on it so I switched to ATTACKBOX

Now with attackbox:

1. the credentials were not valid that I used when I logged in thru my machine. So I created a new account on the Tryhackme.loc gitlabs in the attackbox
2. I created that gitlab-runner account and runner was active. Both in processes and in Gitlab status.
3. The “build” stage keeps on failing Idky. I followed the exact same steps as mentioned. Downloaded PHP-cli as well as mentioned “shell” on the executor

But it keeps on failing

The only thing that I didn’t do with attakbox is the MOTHER authentication

So, can anyone help me understand why the build stage keeps on failing?

ACC to chatgpt and the logs, there’s problem with my environment (attack box environment) but I performed every step for the fix and it’s still failing

@tardy pollen @dense willow sorry to bother yall but can any of you please help😅

That room may be broken by this point since many users are reporting issues but unfortunately there's nothing that we as mods can do about it 🙁

Ohh, yea maybe
Thanks :))

I did this bit at the weekend and it worked OK. I don't recall having to install anything extra, but I did have to fix the runner per the instructions here - https://docs.gitlab.com/runner/shells/#shell-profile-loading. It involves commenting out some lines.

Yea, I think they mentioned it in the room too and I tried that too but it’s still failing with the same environment error

I didn't see any mention of that in the room itself. I found it from the error message in gitlab when the job failed. A helpful error message? Yes, I was amazed.

okay it worked now, idk how, but i replicated the same steps today again and it works, now im stuck on the jenkins rce, the merge request approved but the pipeline is stuck on running status for 8 minutes now

alr it got deployed but i didnt get any connection back on my reverse shell

nothing on here

ip is def correct. 10000000000000000% sure

i even made a rev shell on myself jus to be hellllla sure.

i might js go insane. ive been at it for 2 days now with god knows how many restarts. that too from scratch

can anyone please guide me on where i went wrong?
and judging from the room history, i think its somth wrong from tryhackme's side maybe? if so, maybe any thm-staff reading this can escalate the issue to fix it?

OKAY. THIS NEEDS TO FIXED FR. JENKINS AINT EXECUTING MY PAYLOAD IDKY

This is exactly the task I am stuck on, too. Yet, it seems to work in the videos I posted above 😢

I believe the CI/CD and Builds Room Write-Up needs to be updated since you can no longer use the "register" command in the CLI. Upon clicking on the link, migration to new runner article by GitLab, you have to use the GUI to register runners.

I will take a break for now and resume in the evening or tomorrow.

Actually

You changed the url than what you passed in the command line

The tryhackme loc one

When prompted for a url, you just had to press enter

in the ci/cd room,
after getting access to the runner agent shell (GRunner02), we were supposed to ssh our way to PROD and DEV, as their ssh keys are stored there
BUT MY CONNECTION KEEPS GETTING TIMED OUT

i tried 4-5 times so far

and even watched a walkthru vid, where they were able to ssh in barely a second

(yes, the ssh port 22 is open and is filtered so we cant ssh from our machine even by copying the ssh keys to the local machine)

so, what to do now???

Oh 🤦🏽

@urban mango gott any updates about the jenkins issue?

Task 6??

@frigid herald @upper heron @undone lion
I’m sorry for tagging yall like this but can you please look into this room?
The overall room is lil buggy

Room name: CI/CD and Build Security

Issues:

1. in Task 6, for Jenkins to execute your payload, you’d first have to login to Jenkins server and change the credentials (I changed it to the same as of my Gitlabs)
   But in the room, it wasn’t mentioned anywhere.

2. In task 9, the ssh keeps getting timed out

the team got already report and will look into that! thnx

Thankyou so much

Taking a look this week. Will be replicating the steps and seeing what is the issue. Will hopefully have full feedback and updates if needed by the end of the week. Sorry for the inconvenience!

Thankyou so much

Thank you!!

Gave +1 Rep to @frigid herald (current: #32 - 352)

In the meantime I will complete some other rooms in the DevSecOps path.

how did you change jenkins credentials?

Login to: http://jenkins.tryhackme.loc/

by using the credentials “jenkins:jekins”

then go to the credentials pane in the left panel

From there change it

I changed it to my gitlab username and password

Just as a follow up here already for prelim findings. I completed the room again from scratch and this is what I have:

• Task 4 - There is a new fun gitlab-runner thing where you have to delete .bash_logout else the job fails.
• Task 6 - The Jenkins API integration with Gitlab expires once a year. This is the annoying part where you can only have Gitlab access tokens with a max lifetime of 1 year. We will push updated images that will have the token refreshed for another year and just need to set a reminder each year to renew these.
• Task 9 - I'm not able to replicate the issue with SSH timing out. On my side it worked for the full exercise. Can you give me some more details?

The text in the room is a bit dated and needs some updates. I'll also introduce some hints with the questions that should hopefully help along the way as well. This is a bit more of an "unguided" room, which can make things harder, but does give users a bit more freedom to explore it like you would on real offensive engagements.

If you have suggestions for specific things to make better, happy for you to send it through. Hopefully with a refresh of the token and some of the wording it will already go a long way.

Hey! Thankyou for reviewing.
And yes, the only bug was in task 6 and well, as for task 4 .bash_logout thing was in the logs too haha ( @wispy saddle thanks for pointing it out earlier too)

Regarding task 9, it was my fault, i rushed in after seeing the .bash_history and just copied the ssh command from there without matching the subnet propely. I was supposed to go for 10.200.60.230 and bash_history had the 10.200.125.230 , so my bad for confusing them

Gave +1 Rep to @frigid herald (current: #32 - 353)

Gave +1 Rep to @wispy saddle (current: #2415 - 2)

Glad to hear I didn't miss anything on Task 9. Congrats on completing it!

Hahahaha Thanks!

This is fantastic news. Glad to see you managed to complete it @urban mango . I think I'll give it another go this week and see if I can finally finish off the learning path.

Lesssgooo

@frigid herald Did something else break? I'm trying the room again today, but the network has been in this state for about 15mins now after pressing 'Start' (with a selection of comedy messages passing by on screen), and the 'Start AttackBox' button is greyed out.

No changes have been made thus far. So still exactly the same. Did you refresh the browser session and still?

Yup, but I'll try it again.

Grr, third time's the charm I guess. Restarting the browser and logging back in twice was apparently not sufficient. It looks promising again. Fingers crossed it'll work for me now. Thanks.

Task 6 - Still no change. I've started the room from scratch, and it still hangs up with the same error. Is it me? Am I missing something again and again here?

I think they haven’t implemented the changes yet.

Also, you need to create a runner first as in task 6, the pre-requisite is to run the yml file first, then only the Jenkins file will execute.

So. Create a runner first

And then login to Jenkins and do these steps

Ah, I misunderstood. I thought that you having completed the room meant it had been fixed. Thanks for the hints.

Gave +1 Rep to @urban mango (current: #823 - 9)

Haha
Nah the workaround got me thru

Hi, I need help with DAST >> task 3, when I use AJAX spider as instructed, I got this error : choose Firefox and hit "Start scan" button I got this error: "Failed to start/connect to Firefox, is the browser available/supported?".

Do you have a supported version of Firefox installed?

Whats the best practical devsecops certification training with labs that is from the ‘practicaldevsecops’ vendor (expensive)

Pretty much any cheaper alternative

Does the attackbox have a supported version of Firefox installed? (Did you try the other options?)