Hacking Jenkins

Explore the intricacies of hacking Jenkins, the world's most popular CI/CD server, in this comprehensive conference talk from Hack In The Box Security Conference. Dive deep into Jenkins' internal mechanisms and exploitation guidelines, covering dynamic routing misuse, meta-programming abuse, and Groovy sandbox escapes. Learn about a full pre-auth remote code execution exploit chain and discover seven newly found vulnerabilities with CVEs. Gain insights into building custom gadgets and unconventional hacking techniques for Jenkins. Topics covered include JVM ecosystem reports, common attack vectors, past deserialization bugs, Jenkins remoting, Java web review, Stapler's role, routing rules, URL whitelists, compile-time meta-programming, root cause analysis, malicious JAR preparation, remote Jenkins attacks, Shodan survey results, and the evolution of exploit chains.

Intro
Orange Tsai
Outline
JVM ecosystem report 2018
Jenkins for hackers
Common attack vectors
Past deserialization bugs on Jenkins
Jenkins remoting 2.55
Review Java web
What did Stapler do?
Routing rules
URL whitelists by default
compile-time Meta-Programming
Root cause analysis
Prepare the malicious JAR
Attacking remote Jenkins!
Survey on Shodan
Evolution of the exploit
More reliable exploit chain