SlideShare a Scribd company logo
1 of 65
Download to read offline
1
2
3
4
More about Continuous Integration:
http://www.martinfowler.com/articles/continuousIntegration.html
5
6
7
* Hudson was not evaluated separately. Most of the things which apply on Jenkins
should apply on Hudson as well.
8
9
10
11
http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-
esc-jenkins.html
12
The rights of the user to add or change build configuration are managed using Matrix
based security or Project-based Matrix Authorization Strategy.
https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security
When running commands on a Windows machine we can leverage PowerShell to
execute advanced scripts using this method.
13
The Jenkins service must be restarted after that. During the tests, I was unable to
successfully restart the Jenkins service from a build step even on Windows (with
SYSTEM privileges). The workaround is to have an interactive reverse shell on the host
machine and restart Jenkins service.
Jenkins documentation on Disabling Security
https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
14
https://imgflip.com/memegenerator/Surprised-Koala
15
Taken from http://thiébaud.fr/jenkins_credentials.html
16
We need credentials.xml from $JENKINS_HOME and master.key and
hudson.util.secret from $JENKINS_HOME/secrets/
We are reading the keys master.key and hudson.util.secret in bytes and will convert
them back to file on our own machine. On a Windows machine the conversion could
be done by using TextToExe.ps1 from Nishang.
https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1
17
18
19
20
21
https://confluence.jetbrains.com/display/TCD9/Getting+Started
22
https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo..
.-TeamCitySecurityNotes
23
24
https://confluence.jetbrains.com/display/TCD9/Role+and+Permission
Teamcity documentation recommends not to have build agent on master but looks
like only few care about that.
25
A Build Step could be added with the Project Administrator or even lower privileges
(if configured that way). PowerShell commands and scripts could be executed using
the PowerShell runner.
https://confluence.jetbrains.com/display/TCD9/PowerShell
On *nix machines, shell commands and scripts could be executed.
26
https://confluence.jetbrains.com/display/TCD9/Super+User
Fun Fact: You can lock out SuperUser for one minute by clicking Log in button five
times without entering a Username and Password. This makes it easy to block it by
repeating login requests indefinitely.
27
28
29
https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management
Here is how it could be done:
1. To know the data directory of the master, look for “Data Directory” in the
teamcity-server.log. Use a PowerShell runner.
2. Use “cat <TeamCity Data
Directory>configprojects<project>pluginDatassh_keys *” to list contents of
all the keys.
30
31
Teamcity supports using the Password type Parameter for passwords but I have seen
so many users using Text Parameter for passwords.
See: https://confluence.jetbrains.com/display/TCD9/Typed+Parameters
32
33
Couple of examples of credentials in Build Logs. In both the above screenshots,
access to public instances and the Build Logs is with Guest privileges.
34
35
http://www.go.cd/
http://www.thoughtworks.com/products/go-continuous-delivery
36
http://support.thoughtworks.com/entries/22299328-Go-Security-Questions
37
38
http://support.thoughtworks.com/entries/22873043-go-s-custom-command
http://www.go.cd/documentation/user/current/advanced_usage/command_reposito
ry.html
39
We need Pipeline Group Administrator rights to be able to configure Jobs which can
run custom commands.
40
41
In above, the command cmd /c powershell -c del 'C:Program Files (x86)Go
Serverconfigcruise-config.xml’ will remove the configuration file of Go.
The command cmd /c powershell –c Restart-Service 'Go Server‘ will restart the Go
Server service.
After this, all security will be removed from the Go dashboard and anyone who
knows the URL will have admin rights.
Instead of removing the cruise-config.xml file, we can also remove only the
<security></security> part of it and restart the Go Server service for same effect.
Or we can add the current user to <admins> in the <security> part of cruise-
config.xml
42
43
Documentation on using password files:
http://www.go.cd/documentation/user/current/configuration/dev_authentication.ht
ml
https://github.com/gocd/gocd/blob/master/manual-
testing/ant_hg/password.properties
Location of SSH keys is:
C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh
/var/go/.ssh on Linux
44
45
46
47
48
Documentation for the exec builder:
http://cruisecontrol.sourceforge.net/main/configxml.html#exec
49
50
51
52
Also see: https://github.com/foxglovesec/JavaUnserializeExploits
https://github.com/frohoff/ysoserial
53
I am using an encoded one line PowerShell reverse shell from Nishang as the payload
in the above screenshot.
(https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellTcpOneLine.ps1)
54
55
56
57
58
59
60
61
62
63
64
65

More Related Content

What's hot

Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 

What's hot (20)

Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
Catch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs BlueCatch Me If You Can: PowerShell Red vs Blue
Catch Me If You Can: PowerShell Red vs Blue
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
 
Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)Harness: PowerShell Weaponization Made Easy (or at least easier)
Harness: PowerShell Weaponization Made Easy (or at least easier)
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Windows Attacks AT is the new black
Windows Attacks   AT is the new blackWindows Attacks   AT is the new black
Windows Attacks AT is the new black
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 

Similar to Continuous intrusion: Why CI tools are an attacker’s best friends

Similar to Continuous intrusion: Why CI tools are an attacker’s best friends (20)

Drupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - DeployDrupal Continuous Integration with Jenkins - Deploy
Drupal Continuous Integration with Jenkins - Deploy
 
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
DevOpsDaysRiga 2018: Andrew Martin - Continuous Kubernetes Security
 
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsPVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agents
 
Bring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdfBring-your-ML-Project-into-Production-v2.pdf
Bring-your-ML-Project-into-Production-v2.pdf
 
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
Control Plane: Continuous Kubernetes Security (DevSecOps - London Gathering, ...
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
MuleSoft Meetup Roma - Runtime Fabric Series (From Zero to Hero) - Sessione 2
 
Intro to Powershell
Intro to PowershellIntro to Powershell
Intro to Powershell
 
Blockchain Hyperledger Lab
Blockchain Hyperledger LabBlockchain Hyperledger Lab
Blockchain Hyperledger Lab
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian DonaldsonEffective Data Pipelines with Docker & Jenkins - Brian Donaldson
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
 
Build Your Own HiveMQ Extension
Build Your Own HiveMQ ExtensionBuild Your Own HiveMQ Extension
Build Your Own HiveMQ Extension
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
 
ScalaUA - distage: Staged Dependency Injection
ScalaUA - distage: Staged Dependency InjectionScalaUA - distage: Staged Dependency Injection
ScalaUA - distage: Staged Dependency Injection
 
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
Blockchain - Hyperledger Fabric v1.0 Running on LinuxONE, see it in action!
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
SQLSecurity.ppt
SQLSecurity.pptSQLSecurity.ppt
SQLSecurity.ppt
 
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTOClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
ClickHouse on Kubernetes, by Alexander Zaitsev, Altinity CTO
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 
Struts2 tutorial
Struts2 tutorialStruts2 tutorial
Struts2 tutorial
 
jRecruiter - The AJUG Job Posting Service
jRecruiter - The AJUG Job Posting ServicejRecruiter - The AJUG Job Posting Service
jRecruiter - The AJUG Job Posting Service
 

Recently uploaded

Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
FIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc
 

Recently uploaded (20)

Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
How to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cfHow to Check CNIC Information Online with Pakdata cf
How to Check CNIC Information Online with Pakdata cf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 

Continuous intrusion: Why CI tools are an attacker’s best friends

Editor's Notes

  1. More about Continuous Integration: http://www.martinfowler.com/articles/continuousIntegration.html
  2. * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well.
  3. http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
  4. The rights of the user to add or change build configuration are managed using Matrix based security or Project-based Matrix Authorization Strategy. https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security When running commands on a Windows machine we can leverage PowerShell to execute advanced scripts using this method.
  5. The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the Jenkins service from a build step even on Windows (with SYSTEM privileges). The workaround is to have an interactive reverse shell on the host machine and restart Jenkins service. Jenkins documentation on Disabling Security https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
  6. https://imgflip.com/memegenerator/Surprised-Koala
  7. Taken from http://thiébaud.fr/jenkins_credentials.html
  8. We need credentials.xml from $JENKINS_HOME and master.key and hudson.util.secret from $JENKINS_HOME/secrets/ We are reading the keys master.key and hudson.util.secret in bytes and will convert them back to file on our own machine. On a Windows machine the conversion could be done by using TextToExe.ps1 from Nishang. https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1
  9. https://confluence.jetbrains.com/display/TCD9/Getting+Started
  10. https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo...-TeamCitySecurityNotes
  11. https://confluence.jetbrains.com/display/TCD9/Role+and+Permission Teamcity documentation recommends not to have build agent on master but looks like only few care about that.
  12. A Build Step could be added with the Project Administrator or even lower privileges (if configured that way). PowerShell commands and scripts could be executed using the PowerShell runner. https://confluence.jetbrains.com/display/TCD9/PowerShell On *nix machines, shell commands and scripts could be executed.
  13. https://confluence.jetbrains.com/display/TCD9/Super+User Fun Fact: You can lock out SuperUser for one minute by clicking Log in button five times without entering a Username and Password. This makes it easy to block it by repeating login requests indefinitely.
  14. https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management Here is how it could be done: To know the data directory of the master, look for “Data Directory” in the teamcity-server.log. Use a PowerShell runner. Use “cat <TeamCity Data Directory>\config\projects\<project>\pluginData\ssh_keys\ *” to list contents of all the keys.
  15. Teamcity supports using the Password type Parameter for passwords but I have seen so many users using Text Parameter for passwords. See: https://confluence.jetbrains.com/display/TCD9/Typed+Parameters
  16. Couple of examples of credentials in Build Logs. In both the above screenshots, access to public instances and the Build Logs is with Guest privileges.
  17. http://www.go.cd/ http://www.thoughtworks.com/products/go-continuous-delivery
  18. http://support.thoughtworks.com/entries/22299328-Go-Security-Questions
  19. http://support.thoughtworks.com/entries/22873043-go-s-custom-command http://www.go.cd/documentation/user/current/advanced_usage/command_repository.html
  20. We need Pipeline Group Administrator rights to be able to configure Jobs which can run custom commands.
  21. In above, the command cmd /c powershell -c del 'C:\Program Files (x86)\Go Server\config\cruise-config.xml’ will remove the configuration file of Go. The command cmd /c powershell –c Restart-Service 'Go Server‘ will restart the Go Server service. After this, all security will be removed from the Go dashboard and anyone who knows the URL will have admin rights. Instead of removing the cruise-config.xml file, we can also remove only the <security></security> part of it and restart the Go Server service for same effect. Or we can add the current user to <admins> in the <security> part of cruise-config.xml
  22. Documentation on using password files: http://www.go.cd/documentation/user/current/configuration/dev_authentication.html https://github.com/gocd/gocd/blob/master/manual-testing/ant_hg/password.properties Location of SSH keys is: C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh /var/go/.ssh on Linux
  23. Documentation for the exec builder: http://cruisecontrol.sourceforge.net/main/configxml.html#exec
  24. Also see: https://github.com/foxglovesec/JavaUnserializeExploits https://github.com/frohoff/ysoserial
  25. I am using an encoded one line PowerShell reverse shell from Nishang as the payload in the above screenshot. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1)