Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#3015] No subject

Browse source
This commit is contained in:
CPol 2022-02-17 11:03:34 +00:00 committed by gitbook-bot
parent b619d13e25
commit dc17c7b2b6
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 39 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
pentesting/pentesting-web/jenkins.md
View file

@ -33,20 +33,32 @@ You will be able to find Jenkins instances that **allow you to create an account
msf> use auxiliary/scanner/http/jenkins_login
```
## Known Vulnerabilities
## Jenkins Abuses
### Known Vulnerabilities
{% embed url="https://github.com/gquere/pwn_jenkins" %}
### Extract Secrets
### Dumping builds to find cleartext secrets
In the same repo mentioned before you can find tools to f**ind cleartext secrets from builds and also from Groovy**.
Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/dump\_builds/jenkins\_dump\_builds.py) to dump build console outputs and build environment variables to hopefully find cleartext secrets.
You can also find a tool for **password spraying**.
### Password spraying
Use [this python script](https://github.com/gquere/pwn\_jenkins/blob/master/password\_spraying/jenkins\_password\_spraying.py) or [this powershell script](https://github.com/chryzsh/JenkinsPasswordSpray).
### Decrypt Jenkins secrets offline
Use [this script](https://github.com/gquere/pwn\_jenkins/blob/master/offline\_decryption/jenkins\_offline\_decrypt.py) to decrypt previsously dumped secrets.
### Decrypt Jenkins secrets from Groovy
```
println(hudson.util.Secret.decrypt("{...}"))
```
## Code Execution
There are 3 ways to get **code execution** with Jenkins.
### **Create a new project**
This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
@ -128,14 +140,34 @@ msf> use exploit/multi/http/jenkins_script_console
## POST
Dump Jenkins credentials using:
### Metasploit
```
msf> post/multi/gather/jenkins_gather
```
### Files to copy after compromission
These files are needed to decrypt Jenkins secrets:
* secrets/master.key
* secrets/hudson.util.Secret
Such secrets can usually be found in:
* credentials.xml
* jobs/.../build.xml
Here's a regexp to find them:
```
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
```
## References
{% embed url="https://github.com/gquere/pwn_jenkins" %}
{% embed url="https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter---toying-with-powersploit/" %}
{% embed url="https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password" %}