Hacking the DevOps Butler - From Nothing to Admin

Explore the vulnerabilities in Jenkins, the popular open-source automation server, in this 53-minute conference talk from Hack In The Box Security Conference. Dive into the research process that uncovered six CVEs, focusing on two critical vulnerabilities that allow anonymous attackers to gain full admin privileges on Jenkins servers. Learn about the code reverse-engineering techniques used to discover these security flaws and the exploitation methods that can compromise entire Jenkins infrastructures. Gain insights into the importance of Jenkins in DevOps stacks of major organizations and understand the potential impact of these vulnerabilities on software delivery processes. Follow along as the speaker details the step-by-step approach to probing, analyzing, and exploiting Jenkins, providing valuable knowledge for cybersecurity professionals and DevOps engineers alike.

Intro
CI/CD PIPELINE
Jenkins in Numbers
Jenkins is useful!
Jenkins is Great!
Jenkins Integrations
Jenkins Needs Access to Secrets
Jenkins in the news: a complete takeover
Preliminary probing - JENKINS_HOME
Preliminary probing [2B]
Jenkins Script console
Shodan probing
probing summary
Jenkins access 2
Jenkins reverse engineering
Jenkins static code analysis
Code analysis summary
CVE 2018-1999043
Exploiting systematically