Jenkins as a well-known CI/CD server, is the most popular and widely used CI/CD application in the world! For Red Teamers, Jenkins is also the battlefield that everyone would like to control! It contains large numbers of source codes, credentials and nodes which could be the backdoor for further exploitations!
Due to its importance, we dive into Jenkins, and found several INTERESTING vulnerabilities(7 of them got CVEs!). In this talk, we will introduce the Jenkins’ internal, mechanism and exploitation guideline, including the dynamic routing misusing, Meta-programming abusing and escaping from the Groovy sandbox . We will also give a full pre-auth remote code execution exploit-chain!
By understanding this talk, the audience will learn how to build their own gadget and hack jenkins from an unusual way!