Syndicated Blog

Carnal0wnage
carnal0wnage and Attack Research Blog

Jenkins – CVE-2018-1000600 PoC

| | DEVOPS, jenkins, pentesting
second exploit from the blog posthttps://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlChained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRFhttps://jenkins.io/security/advisory/2018-06-25/#SECURITY-915This affects the GitHub plugin that is installed by default. However, I learned that when you spin up a new ...
Jenkins - decrypting credentials.xml

Jenkins – decrypting credentials.xml

| | jenkins, pentesting
If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:hashed_pw='$PASSWORDHASH'passwd = hudson.util.Secret.decrypt(hashed_pw)println(passwd)You need to perform this on the ...

Jenkins Master Post

| | DEVOPS, jenkins, pentesting
A collection of posts on attacking Jenkinshttp://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.htmlManipulating build steps to get RCEhttps://medium.com/@uranium238/shodan-jenkins-to-get-rces-on-servers-6b6ec7c960e2Using the terminal plugin to get RCEhttps://sharadchhetri.com/2018/12/02/managing-jenkins-plugins/Getting going with the jenkins-clihttps://github.com/Coalfire-Research/java-deserialization-exploits/tree/master/Jenkinshttps://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstreamCVE-2015-8103 & CVE-2016-0792https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlhttp://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlunauth user enumeration jenkins 1>CVE-2019-1003000 (https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266)vulns in: Pipeline: Declarative ...
Jenkins - messing with exploits pt2 - CVE-2019-1003000

Jenkins – messing with exploits pt2 – CVE-2019-1003000

| | jenkins, pentesting
After the release of Orange Tsai's exploit for Jenkins. I've been doing some poking. PreAuth RCE against Jenkins is something everyone wants.While not totally related to the blog post and tweet the ...
Jenkins - messing with new exploits pt1

Jenkins – messing with new exploits pt1

| | DEVOPS, jenkins, pentesting
Jenkins notes for:https://blog.orange.tw/2019/01/hacking-jenkins-part-1-play-with-dynamic-routing.htmlhttp://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.htmlto download old jenkins WAR fileshttp://updates.jenkins-ci.org/download/war/1st bug in the blog is a username enumeration bug inJenkins weekly up to and including 2.145Jenkins LTS up to and including 2.138.1From the blog:Pre-auth ...

Abusing Docker API | Socket

| | devoops, DEVOPS, Docker, Hacking, pentesting
Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be anythingRefs:https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0https://www.slideshare.net/BorgHan/hacking-docker-the-easy-wayhttps://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.htmlhttps://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.htmlhttps://infoslack.com/devops/exploring-docker-remote-apihttps://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdfhttps://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124https://www.exploit-db.com/exploits/42356https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rbhttp://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.htmlhttps://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/https://blog.ropnop.com/plundering-docker-images/Enable docker socket (Create practice locations)https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerdHaving the docker API | socket exposed ...
Kubernetes: unauth kublet API 10250 basic code exec

Kubernetes: unauth kublet API 10250 basic code exec

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it's still pretty common to find it exposed via the "insecure API ...
Kubernetes: unauth kublet API 10250 token theft & kubectl

Kubernetes: unauth kublet API 10250 token theft & kubectl

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running podsWith that data, you ...
Kubernetes: Kube-Hunter 10255

Kubernetes: Kube-Hunter 10255

| | Cloud, devoops, Hacking, Kubernetes, pentesting
Below is some sample output that mainly is here to see what open 10255 will give you and look like. What probably of most interest is the /pods endpointor the /metrics endpointor ...
Kubernetes: Kubelet API containerLogs endpoint

Kubernetes: Kubelet API containerLogs endpoint

| | Cloud, devoops, Hacking, Kubernetes, pentesting
How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+---------------+-------------+------------------+----------------------+----------------+| LOCATION CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |+---------------+-------------+------------------+----------------------+----------------++----------------+------------+------------------+----------------------+----------------+| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | ...
Loading...