Jenkins
Directory Structure
JENKINS_HOME
+- builds (build records)
+- [BUILD_ID] (subdirectory for each build)
+- build.xml (build result summary)
+- changelog.xml (change log)
+- config.xml (Jenkins root configuration file)
+- *.xml (other site-wide configuration files)
+- fingerprints (stores fingerprint records, if any)
+- identity.key.enc (RSA key pair that identifies an instance)
+- jobs (root directory for all Jenkins jobs)
+- [JOBNAME] (sub directory for each job)
+- config.xml (job configuration file)
+- [FOLDERNAME] (sub directory for each folder)
+- config.xml (folder configuration file)
+- jobs (subdirectory for all nested jobs)
+- plugins (root directory for all Jenkins plugins)
+- [PLUGIN] (sub directory for each plugin)
+- [PLUGIN].jpi (.jpi or .hpi file for the plugin)
+- secret.key (deprecated key used for some plugins' secure operations)
+- secret.key.not-so-secret (used for validating _$JENKINS_HOME_ creation date)
+- secrets (root directory for the secret+key for credential decryption)
+- hudson.util.Secret (used for encrypting some Jenkins data)
+- master.key (used for encrypting the hudson.util.Secret key)
+- InstanceIdentity.KEY (used to identity this instance)
+- userContent (files served under your https://server/userContent/)
+- workspace (working directory for the version control system)Interesting Files
/var/jenkins_home/users/users.xml
/var/jenkins_home/users/<user>_xxxxxxxxxxxxxxxxxx/config.xml
Cracking config.xml
Master key is located at $JENKINS_HOME/secrets/master.key
Hudson key is located at $JENKINS_HOME/secrets/hudson.util.Secret
RCE via GUI
Execute commands:
Reverse shell
Windows command execution
Miscellaneous Vulnerabilities
CVE-2018-1999002 and CVE-2019-1003000 ( remote code execution) and affects the version 2.137
Jenkins 2.150.2 allows users with JOB creation and BUILD privileges to execute code on the system via Node.js
Last updated