How I found misconfigured Jenkins instances of different organizations

Shodan search engine

Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.

List of users who has access to instance
Build result
  • Use of default credentials
  • If it provides 3rd party login like sign-in with GitHub, etc. Try logging in with those accounts.
  • Getting access to secrets and keys from console output.
  • Getting keys from Jenkins configuration and access to private repositories.
  • RCE from terminal plugin in Jenkins dashboard.

--

--

--

Founder @HackyDev Software Services 0x1bitcrack3r.me

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Zeno — THM Writeup (Abusing service file misconfigurations)

PhoneRescue 3.7.0.20180402

Utilization of GDSC Token / GDSC代币的使用

HackTheBox — Devzat

Security & CI/CD Toolchains

Global Single Sign-on!

{UPDATE} Sheet Music Treble Hack Free Resources Generator

{UPDATE} Toques de balón Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Vishnu Ramineni

Vishnu Ramineni

Founder @HackyDev Software Services 0x1bitcrack3r.me

More from Medium

Reset Jenkins Admin User Password

Jenkins Installation On CentOS7

Jenkins JVM monitoring with JMX remote