Continuous intrusion: Why CI tools are an attacker’s best friends
Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated...
Transcript of Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated...
![Page 1: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/1.jpg)
1
![Page 2: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/2.jpg)
2
![Page 3: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/3.jpg)
3
![Page 4: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/4.jpg)
More about Continuous Integration: http://www.martinfowler.com/articles/continuousIntegration.html
4
![Page 5: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/5.jpg)
5
![Page 6: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/6.jpg)
6
![Page 7: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/7.jpg)
* Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well.
7
![Page 8: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/8.jpg)
8
![Page 9: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/9.jpg)
9
![Page 10: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/10.jpg)
http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
10
![Page 11: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/11.jpg)
The rights of the user to add or change build configuration are managed using Matrix based security or Project-based Matrix Authorization Strategy.https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security
When running commands on a Windows machine we can leverage PowerShell to execute advanced scripts using this method.
11
![Page 12: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/12.jpg)
Taken from http://thiébaud.fr/jenkins_credentials.html
12
![Page 13: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/13.jpg)
We need credentials.xml from $JENKINS_HOME and master.key and hudson.util.secret from $JENKINS_HOME/secrets/
We are reading the keys master.key and hudson.util.secret in bytes and will convert them back to file on our own machine. On a Windows machine the conversion could be done by using TextToExe.ps1 from Nishang. https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1
13
![Page 14: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/14.jpg)
14
![Page 15: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/15.jpg)
15
![Page 16: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/16.jpg)
16
![Page 17: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/17.jpg)
17
![Page 18: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/18.jpg)
18
![Page 19: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/19.jpg)
Also see: https://github.com/foxglovesec/JavaUnserializeExploitshttps://github.com/frohoff/ysoserial
19
![Page 20: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/20.jpg)
I am using an encoded one line PowerShell reverse shell from Nishang as the payload in the above screenshot. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1)
20
![Page 21: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/21.jpg)
21
![Page 22: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/22.jpg)
22
![Page 23: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/23.jpg)
23
![Page 24: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/24.jpg)
24
![Page 25: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/25.jpg)
25
![Page 26: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/26.jpg)
26
![Page 27: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/27.jpg)
27
![Page 28: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/28.jpg)
28
![Page 29: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/29.jpg)
29
![Page 30: Continuous Intrusion: Why CI tools are an attacker’s ... · * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 7](https://reader031.fdocuments.us/reader031/viewer/2022022516/5b00ad5f7f8b9a256b905de8/html5/thumbnails/30.jpg)
30