Hacking Jenkins!
Key | Action |
---|---|
K or space | Play / Pause |
M | Mute / Unmute |
C | Select next subtitles |
A | Select next audio track |
V | Show slide in full page or toggle automatic source change |
left arrow | Seek 5s backward |
right arrow | Seek 5s forward |
shift + left arrow or J | Seek 10s backward |
shift + right arrow or L | Seek 10s forward |
control + left arrow | Seek 60s backward |
control + right arrow | Seek 60s forward |
shift + down arrow | Decrease volume |
shift + up arrow | Increase volume |
shift + comma | Decrease playback rate |
shift + dot or shift + semicolon | Increase playback rate |
end | Seek to end |
beginning | Seek to beginning |
Share this media
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
Links:
Number of views:
68Creation date:
July 2, 2019Speakers:
Orange TsaiCompany:
DEVCORELicense:
CC BY-SA v4Description
enkins as a well-known CI/CD server, is the most popular and widely used CI/CD application in the world! For Red Teamers, Jenkins is also the battlefield that everyone would like to control! It contains large numbers of source codes, credentials and nodes which could be the backdoor for further exploitations!
Due to its importance, we dive into Jenkins, and found several INTERESTING vulnerabilities(7 of them got CVEs!). In this talk, we will introduce the Jenkins’ internal, mechanism and exploitation guideline, including the dynamic routing misusing, Meta-programming abusing and escaping from the Groovy sandbox . We will also give a full pre-auth remote code execution exploit-chain!
By understanding this talk, the audience will learn how to build their own gadget and hack jenkins from an unusual way!
Speaker
Orange Tsai (DEVCORE)
Bio
Cheng-Da Tsai, also as known as Orange Tsai, is the principal security research of DEVCORE and the member of CHROOT security group from Taiwan. He has spoken at conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB, Hack.lu and CODEBLUE. He participates in numerous Capture-the-Flags (CTF), and also the team captain of HITCON, which won 2nd place in DEF CON 22/25.
Currently, he is focusing on application security and 0day research. Orange enjoys finding vulnerabilities and participating in Bug Bounty Programs. He is enthusiastic about Remote Code Execution (RCE), and uncovered RCEs in several vendors, such as Facebook, Uber, Apple, GitHub, Amazon, Yahoo, Netflix and Imgur.
Twitter: @orange_8361
Blog: http://blog.orange.tw/
Other media in the channel "2019"
- 985 views, 15 this year, 1 this monthPatrOwl - Orchestrating SecOps with an open-source SOAR platformJuly 3rd, 2019
- 137 views, 2 this yearBetter curl !July 3rd, 2019
- 111 views, 26 this year, 1 this monthManaging a growing fleet of WiFi routers combining OpenWRT, WireGuard, Salt and ZabbixJuly 3rd, 2019
- 33 views, 1 this yearNo IT security without Free SoftwareJuly 3rd, 2019
- 34 views, 1 this year, 1 this monthD4 Project - Design and Implementation of an Open Source Distributed and Collaborative Security MonitoringJuly 3rd, 2019
- 15 viewsProgramming research, a missed opportunity for secure and libre software?July 3rd, 2019