Hacking the DevOps Butler - From Nothing to Admin
Offered By: Hack In The Box Security Conference via YouTube
Course Description
Overview
Explore the vulnerabilities in Jenkins, the popular open-source automation server, in this 53-minute conference talk from Hack In The Box Security Conference. Dive into the research process that uncovered six CVEs, focusing on two critical vulnerabilities that allow anonymous attackers to gain full admin privileges on Jenkins servers. Learn about the code reverse-engineering techniques used to discover these security flaws and the exploitation methods that can compromise entire Jenkins infrastructures. Gain insights into the importance of Jenkins in DevOps stacks of major organizations and understand the potential impact of these vulnerabilities on software delivery processes. Follow along as the speaker details the step-by-step approach to probing, analyzing, and exploiting Jenkins, providing valuable knowledge for cybersecurity professionals and DevOps engineers alike.
Syllabus
Intro
CI/CD PIPELINE
Jenkins in Numbers
Jenkins is useful!
Jenkins is Great!
Jenkins Integrations
Jenkins Needs Access to Secrets
Jenkins in the news: a complete takeover
Preliminary probing - JENKINS_HOME
Preliminary probing [2B]
Jenkins Script console
Shodan probing
probing summary
Jenkins access 2
Jenkins reverse engineering
Jenkins static code analysis
Code analysis summary
CVE 2018-1999043
Exploiting systematically
Taught by
Hack In The Box Security Conference
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network