continuous intrusion: why ci tools are an attacker’s best ...€¦ · the jenkins service must be...
TRANSCRIPT
![Page 1: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/1.jpg)
1
![Page 2: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/2.jpg)
2
![Page 3: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/3.jpg)
3
![Page 4: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/4.jpg)
4
![Page 5: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/5.jpg)
More about Continuous Integration: http://www.martinfowler.com/articles/continuousIntegration.html
5
![Page 6: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/6.jpg)
6
![Page 7: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/7.jpg)
7
![Page 8: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/8.jpg)
* Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well.
8
![Page 9: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/9.jpg)
9
![Page 10: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/10.jpg)
10
![Page 11: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/11.jpg)
11
![Page 12: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/12.jpg)
http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
12
![Page 13: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/13.jpg)
The rights of the user to add or change build configuration are managed using Matrix based security or Project-based Matrix Authorization Strategy.https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security
When running commands on a Windows machine we can leverage PowerShell to execute advanced scripts using this method.
13
![Page 14: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/14.jpg)
The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the Jenkins service from a build step even on Windows (with SYSTEM privileges). The workaround is to have an interactive reverse shell on the host machine and restart Jenkins service.
Jenkins documentation on Disabling Securityhttps://wiki.jenkins-ci.org/display/JENKINS/Disable+security
14
![Page 15: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/15.jpg)
https://imgflip.com/memegenerator/Surprised-Koala
15
![Page 16: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/16.jpg)
Taken from http://thiébaud.fr/jenkins_credentials.html
16
![Page 17: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/17.jpg)
We need credentials.xml from $JENKINS_HOME and master.key and hudson.util.secret from $JENKINS_HOME/secrets/
We are reading the keys master.key and hudson.util.secret in bytes and will convert them back to file on our own machine. On a Windows machine the conversion could be done by using TextToExe.ps1 from Nishang. https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1
17
![Page 18: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/18.jpg)
18
![Page 19: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/19.jpg)
19
![Page 20: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/20.jpg)
20
![Page 21: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/21.jpg)
21
![Page 22: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/22.jpg)
https://confluence.jetbrains.com/display/TCD9/Getting+Started
22
![Page 23: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/23.jpg)
https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo...-TeamCitySecurityNotes
23
![Page 24: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/24.jpg)
24
![Page 25: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/25.jpg)
https://confluence.jetbrains.com/display/TCD9/Role+and+Permission
Teamcity documentation recommends not to have build agent on master but looks like only few care about that.
25
![Page 26: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/26.jpg)
A Build Step could be added with the Project Administrator or even lower privileges (if configured that way). PowerShell commands and scripts could be executed using the PowerShell runner.https://confluence.jetbrains.com/display/TCD9/PowerShell
On *nix machines, shell commands and scripts could be executed.
26
![Page 27: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/27.jpg)
https://confluence.jetbrains.com/display/TCD9/Super+UserFun Fact: You can lock out SuperUser for one minute by clicking Log in button five times without entering a Username and Password. This makes it easy to block it by repeating login requests indefinitely.
27
![Page 28: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/28.jpg)
28
![Page 29: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/29.jpg)
29
![Page 30: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/30.jpg)
https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management
Here is how it could be done:1. To know the data directory of the master, look for “Data Directory” in the
teamcity-server.log. Use a PowerShell runner.2. Use “cat <TeamCity Data
Directory>\config\projects\<project>\pluginData\ssh_keys\ *” to list contents of all the keys.
30
![Page 31: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/31.jpg)
31
![Page 32: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/32.jpg)
Teamcity supports using the Password type Parameter for passwords but I have seen so many users using Text Parameter for passwords.See: https://confluence.jetbrains.com/display/TCD9/Typed+Parameters
32
![Page 33: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/33.jpg)
33
![Page 34: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/34.jpg)
Couple of examples of credentials in Build Logs. In both the above screenshots, access to public instances and the Build Logs is with Guest privileges.
34
![Page 35: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/35.jpg)
35
![Page 36: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/36.jpg)
http://www.go.cd/http://www.thoughtworks.com/products/go-continuous-delivery
36
![Page 37: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/37.jpg)
http://support.thoughtworks.com/entries/22299328-Go-Security-Questions
37
![Page 38: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/38.jpg)
38
![Page 39: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/39.jpg)
http://support.thoughtworks.com/entries/22873043-go-s-custom-commandhttp://www.go.cd/documentation/user/current/advanced_usage/command_repository.html
39
![Page 40: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/40.jpg)
We need Pipeline Group Administrator rights to be able to configure Jobs which can run custom commands.
40
![Page 41: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/41.jpg)
41
![Page 42: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/42.jpg)
In above, the command cmd /c powershell -c del 'C:\Program Files (x86)\Go Server\config\cruise-config.xml’ will remove the configuration file of Go.The command cmd /c powershell –c Restart-Service 'Go Server‘ will restart the Go Server service.After this, all security will be removed from the Go dashboard and anyone who knows the URL will have admin rights.
Instead of removing the cruise-config.xml file, we can also remove only the <security></security> part of it and restart the Go Server service for same effect.
Or we can add the current user to <admins> in the <security> part of cruise-config.xml
42
![Page 43: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/43.jpg)
43
![Page 44: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/44.jpg)
Documentation on using password files:http://www.go.cd/documentation/user/current/configuration/dev_authentication.htmlhttps://github.com/gocd/gocd/blob/master/manual-testing/ant_hg/password.properties
Location of SSH keys is:C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh/var/go/.ssh on Linux
44
![Page 45: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/45.jpg)
45
![Page 46: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/46.jpg)
46
![Page 47: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/47.jpg)
47
![Page 48: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/48.jpg)
48
![Page 49: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/49.jpg)
Documentation for the exec builder:http://cruisecontrol.sourceforge.net/main/configxml.html#exec
49
![Page 50: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/50.jpg)
50
![Page 51: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/51.jpg)
51
![Page 52: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/52.jpg)
52
![Page 53: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/53.jpg)
Also see: https://github.com/foxglovesec/JavaUnserializeExploitshttps://github.com/frohoff/ysoserial
53
![Page 54: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/54.jpg)
I am using an encoded one line PowerShell reverse shell from Nishang as the payload in the above screenshot. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1)
54
![Page 55: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/55.jpg)
55
![Page 56: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/56.jpg)
56
![Page 57: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/57.jpg)
57
![Page 58: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/58.jpg)
58
![Page 59: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/59.jpg)
59
![Page 60: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/60.jpg)
60
![Page 61: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/61.jpg)
61
![Page 62: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/62.jpg)
62
![Page 63: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/63.jpg)
63
![Page 64: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/64.jpg)
64
![Page 65: Continuous Intrusion: Why CI tools are an attacker’s best ...€¦ · The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the](https://reader034.vdocuments.us/reader034/viewer/2022052010/60207bcc239b12164b134c27/html5/thumbnails/65.jpg)
65