a

SUMMARY.md

@@ -30,7 +30,6 @@
   * [Jenkins RCE Creating/Modifying Project](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-project.md)
   * [Jenkins RCE Creating/Modifying Pipeline](pentesting-ci-cd/jenkins-security/jenkins-rce-creating-modifying-pipeline.md)
   * [Jenkins Dumping Secrets from Groovy](pentesting-ci-cd/jenkins-security/jenkins-dumping-secrets-from-groovy.md)
-  * [SCM IP Whitelisting Bypass](pentesting-ci-cd/jenkins-security/scm-ip-whitelisting-bypass.md)
 * [Apache Airflow Security](pentesting-ci-cd/apache-airflow-security/README.md)
   * [Airflow Configuration](pentesting-ci-cd/apache-airflow-security/airflow-configuration.md)
   * [Airflow RBAC](pentesting-ci-cd/apache-airflow-security/airflow-rbac.md)
@@ -214,7 +213,6 @@
     * [AWS - DynamoDB Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-dynamodb-post-exploitation.md)
     * [AWS - EC2, EBS, SSM & VPC Post Exploitation](pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/README.md)
       * [AWS - EBS Snapshot Dump](pentesting-cloud/aws-security/aws-post-exploitation/aws-ec2-ebs-ssm-and-vpc-post-exploitation/aws-ebs-snapshot-dump.md)
-      * [AWS - SSM Post-Exploitation](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-ssm-post-exploitation.md)
       * [AWS - Malicious VPC Mirror](pentesting-cloud/aws-security/aws-services/aws-ec2-ebs-elb-ssm-vpc-and-vpn-enum/aws-malicious-vpc-mirror.md)
     * [AWS - ECR Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecr-post-exploitation.md)
     * [AWS - ECS Post Exploitation](pentesting-cloud/aws-security/aws-post-exploitation/aws-ecs-post-exploitation.md)

pentesting-ci-cd/apache-airflow-security/README.md

@@ -16,7 +16,7 @@ Other ways to support HackTricks:
 
 ## Basic Information
 
-[**Apache Airflow**](https://airflow.apache.org) is used for the **scheduling and \_orchestration of data pipelines or workflows**. Orchestration of data pipelines refers to the sequencing, coordination, scheduling, and managing complex **data pipelines from diverse sources**. These data pipelines deliver data sets that are ready for consumption either by business intelligence applications and data science, machine learning models that support big data applications.
+[**Apache Airflow**](https://airflow.apache.org) serves as a platform for **orchestrating and scheduling data pipelines or workflows**. The term "orchestration" in the context of data pipelines signifies the process of arranging, coordinating, and managing complex data workflows originating from various sources. The primary purpose of these orchestrated data pipelines is to furnish processed and consumable data sets. These data sets are extensively utilized by a myriad of applications, including but not limited to business intelligence tools, data science and machine learning models, all of which are foundational to the functioning of big data applications.
 
 Basically, Apache Airflow will allow you to **schedule de execution of code when something** (event, cron) **happens**.
 
@@ -77,7 +77,7 @@ Airflow by default will show the value of the variable in the GUI, however, acco
 ![](<../../.gitbook/assets/image (79).png>)
 
 However, these **values** can still be **retrieved** via **CLI** (you need to have DB access), **arbitrary DAG** execution, **API** accessing the variables endpoint (the API needs to be activated), and **even the GUI itself!**\
-****To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
+To access those values from the GUI just **select the variables** you want to access and **click on Actions -> Export**.\
 Another way is to perform a **bruteforce** to the **hidden value** using the **search filtering** it until you get it:
 
 ![](<../../.gitbook/assets/image (30).png>)

pentesting-ci-cd/apache-airflow-security/airflow-rbac.md

@@ -16,7 +16,7 @@ Other ways to support HackTricks:
 
 ## RBAC
 
-Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
+(From the docs)[https://airflow.apache.org/docs/apache-airflow/stable/security/access-control.html]: Airflow ships with a **set of roles by default**: **Admin**, **User**, **Op**, **Viewer**, and **Public**. **Only `Admin`** users could **configure/alter the permissions for other roles**. But it is not recommended that `Admin` users alter these default roles in any way by removing or adding permissions to these roles.
 
 * **`Admin`** users have all possible permissions.
 * **`Public`** users (anonymous) don’t have any permissions.

pentesting-ci-cd/atlantis-security.md

@@ -53,6 +53,8 @@ Atlantis is going to be **exposing webhooks** so the git server can send it info
 
 ### Provider Credentials <a href="#provider-credentials" id="provider-credentials"></a>
 
+[From the docs:](https://www.runatlantis.io/docs/provider-credentials.html)
+
 Atlantis runs Terraform by simply **executing `terraform plan` and `apply`** commands on the server **Atlantis is hosted on**. Just like when you run Terraform locally, Atlantis needs credentials for your specific provider.
 
 It's up to you how you [provide credentials](https://www.runatlantis.io/docs/provider-credentials.html#aws-specific-info) for your specific provider to Atlantis:
@@ -401,6 +403,7 @@ You can also pass these as environment variables `ATLANTIS_WEB_BASIC_AUTH=true`
 ## References
 
 * [**https://www.runatlantis.io/docs**](https://www.runatlantis.io/docs)
+* [**https://www.runatlantis.io/docs/provider-credentials.html**](https://www.runatlantis.io/docs/provider-credentials.html)
 
 <details>
 

pentesting-ci-cd/circleci-security.md

@@ -16,7 +16,7 @@ Other ways to support HackTricks:
 
 ## Basic Information
 
-[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you ca **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
+[**CircleCI**](https://circleci.com/docs/2.0/about-circleci/) is a Continuos Integration platform where you can **define templates** indicating what you want it to do with some code and when to do it. This way you can **automate testing** or **deployments** directly **from your repo master branch** for example.
 
 ## Permissions
 

pentesting-ci-cd/concourse-security/concourse-architecture.md

@@ -39,6 +39,10 @@ In order to execute tasks concourse must have some workers. These workers **regi
 * **Garden**: This is the **Container Manage AP**I, usually run in **port 7777** via **HTTP**.
 * **Baggageclaim**: This is the **Volume Management API**, usually run in **port 7788** via **HTTP**.
 
+# References
+* [https://concourse-ci.org/internals.html](https://concourse-ci.org/internals.html)
+
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

pentesting-ci-cd/concourse-security/concourse-enumeration-and-attacks.md

@@ -32,7 +32,7 @@ Note that Concourse **groups pipelines inside Teams**. Therefore users belonging
 
 ## Vars & Credential Manager
 
-In the YAML configs you can configure values using the syntax `((`_`source-name`_`:`_`secret-path`_`.`_`secret-field`_`))`.\
+In the YAML configs you can configure values using the syntax `((_source-name_:_secret-path_._secret-field_))`.\
 The **source-name is optional**, and if omitted, the [cluster-wide credential manager](https://concourse-ci.org/vars.html#cluster-wide-credential-manager) will be used, or the value may be provided [statically](https://concourse-ci.org/vars.html#static-vars).\
 The **optional **_**secret-field**_ specifies a field on the fetched secret to read. If omitted, the credential manager may choose to read a 'default field' from the fetched credential if the field exists.\
 Moreover, the _**secret-path**_ and _**secret-field**_ may be surrounded by double quotes `"..."` if they **contain special characters** like `.` and `:`. For instance, `((source:"my.secret"."field:1"))` will set the _secret-path_ to `my.secret` and the _secret-field_ to `field:1`.
@@ -451,6 +451,9 @@ User-Agent: Go-http-client/1.1.
 Accept-Encoding: gzip.
 ```
 
+# References
+* https://concourse-ci.org/vars.html
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

pentesting-ci-cd/jenkins-security/README.md

@@ -16,8 +16,8 @@ Other ways to support HackTricks:
 
 ## Basic Information
 
-Jenkins offers a simple way to set up a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **languages** and source code repositories using pipelines, as well as automating other routine development tasks. While Jenkins doesn’t eliminate the **need to create scripts for individual steps**, it does give you a faster and more robust way to integrate your entire chain of build, test, and deployment tools than you can easily build yourself.\
-Definition from [here](https://www.infoworld.com/article/3239666/what-is-jenkins-the-ci-server-explained.html).
+Jenkins is a tool that offers a straightforward method for establishing a **continuous integration** or **continuous delivery** (CI/CD) environment for almost **any** combination of **programming languages** and source code repositories using pipelines. Furthermore, it automates various routine development tasks. While Jenkins doesn't eliminate the **need to create scripts for individual steps**, it does provide a faster and more robust way to integrate the entire sequence of build, test, and deployment tools than one can easily construct manually.
+
 
 {% content-ref url="basic-jenkins-information.md" %}
 [basic-jenkins-information.md](basic-jenkins-information.md)
@@ -65,7 +65,7 @@ Also if **SSO** **functionality**/**plugins** were present then you should attem
 
 ### Bruteforce
 
-**Jekins** does **not** implement any **password policy** or username **brute-force mitigation**. Then, you **should** always try to **brute-force** users because probably **weak passwords** are being used (even **usernames as passwords** or **reverse** usernames as passwords).
+**Jenkins** lacks **password policy** and **username brute-force mitigation**. It's essential to **brute-force** users since **weak passwords** or **usernames as passwords** may be in use, even **reversed usernames as passwords**.
 
 ```
 msf> use auxiliary/scanner/http/jenkins_login
@@ -77,13 +77,13 @@ Use [this python script](https://github.com/gquere/pwn\_jenkins/blob/master/pass
 
 ### IP Whitelisting Bypass
 
-Many orgs combines **SaaS-based source control management (SCM) systems** (like GitHub or GitLab) with an **internal**, self-hosted **CI** solution (e.g. Jenkins, TeamCity) allowing these CI systems to **receive webhook events from the SaaS source** control vendors, for the simple purpose of triggering pipeline jobs.
+Many organizations combine **SaaS-based source control management (SCM) systems** such as GitHub or GitLab with an **internal, self-hosted CI** solution like Jenkins or TeamCity. This setup allows CI systems to **receive webhook events from SaaS source control vendors**, primarily for triggering pipeline jobs.
 
-Therefore, the orgs **whitelists** the **IP** ranges of the **SCM** allowing them to reach the **internal** CI system with **webhooks**. However, note how **anyone** can create an **account** in Github or Gitlab and make it **trigger a webhook** that could send a request to that **internal CI system**.
+To achieve this, organizations **whitelist** the **IP ranges** of the **SCM platforms**, permitting them to access the **internal CI system** via **webhooks**. However, it's important to note that **anyone** can create an **account** on GitHub or GitLab and configure it to **trigger a webhook**, potentially sending requests to the **internal CI system**.
 
-{% content-ref url="scm-ip-whitelisting-bypass.md" %}
-[scm-ip-whitelisting-bypass.md](scm-ip-whitelisting-bypass.md)
-{% endcontent-ref %}
+
+Check: 
+[shttps://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/](https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhooks-to-access-internal-ci-systems-at-scale/)
 
 ## Internal Jenkins Abuses
 
@@ -125,7 +125,7 @@ You will usually find Jenkins ssh credentials in a **global provider** (`/creden
 
 Getting a **shell in the Jenkins server** gives the attacker the opportunity to leak all the **secrets** and **env variables** and to **exploit other machines** located in the same network or even **gather cloud credentials**.
 
-By default, Jenkins will **“run as system” builds**. In other words, they assign it to the **all-powerful SYSTEM user**, meaning any action executed during the build has permission to do whatever it wants.
+By default, Jenkins will **run as SYSTEM**. So, compromising it will give the attacker **SYSTEM privileges**.
 
 ### **RCE Creating/Modifying a project**
 
@@ -403,6 +403,7 @@ println(hudson.util.Secret.decrypt("{...}"))
 * [https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password](https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password)
 * [https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html](https://www.lazysystemadmin.com/2018/12/quick-howto-reset-jenkins-admin-password.html)
 * [https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072](https://medium.com/cider-sec/exploiting-jenkins-build-authorization-22bf72926072)
+* [https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3](https://medium.com/@Proclus/tryhackme-internal-walk-through-90ec901926d3)
 
 <details>
 

pentesting-ci-cd/jenkins-security/basic-jenkins-information.md

@@ -67,6 +67,8 @@ Plugins can provide additional security realms which may be useful for incorpora
 
 ## Jenkins Nodes, Agents & Executors
 
+Definitions from the [docs](https://www.jenkins.io/doc/book/managing/nodes/):
+
 **Nodes** are the **machines** on which build **agents run**. Jenkins monitors each attached node for disk space, free temp space, free swap, clock time/sync and response time. A node is taken offline if any of these values go outside the configured threshold.
 
 **Agents** **manage** the **task execution** on behalf of the Jenkins controller by **using executors**. An agent can use any operating system that supports Java. Tools required for builds and tests are installed on the node where the agent runs; they can **be installed directly or in a container** (Docker or Kubernetes). Each **agent is effectively a process with its own PID** on the host machine.
@@ -77,6 +79,7 @@ An **executor** is a **slot for execution of tasks**; effectively, it is **a thr
 
 ### Encryption of Secrets and Credentials
 
+Definition from the [docs](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials):
 Jenkins uses **AES to encrypt and protect secrets**, credentials, and their respective encryption keys. These encryption keys are stored in `$JENKINS_HOME/secrets/` along with the master key used to protect said keys. This directory should be configured so that only the operating system user the Jenkins controller is running as has read and write access to this directory (i.e., a `chmod` value of `0700` or using appropriate file attributes). The **master key** (sometimes referred to as a "key encryption key" in cryptojargon) is **stored **_**unencrypted**_ on the Jenkins controller filesystem in **`$JENKINS_HOME/secrets/master.key`** which does not protect against attackers with direct access to that file. Most users and developers will use these encryption keys indirectly via either the [Secret](https://javadoc.jenkins.io/byShortName/Secret) API for encrypting generic secret data or through the credentials API. For the cryptocurious, Jenkins uses AES in cipher block chaining (CBC) mode with PKCS#5 padding and random IVs to encrypt instances of [CryptoConfidentialKey](https://javadoc.jenkins.io/byShortName/CryptoConfidentialKey) which are stored in `$JENKINS_HOME/secrets/` with a filename corresponding to their `CryptoConfidentialKey` id. Common key ids include:
 
 * `hudson.util.Secret`: used for generic secrets;
@@ -96,6 +99,10 @@ According to [**the docs**](https://www.jenkins.io/blog/2019/02/21/credentials-m
 * [https://www.jenkins.io/doc/book/security/managing-security/](https://www.jenkins.io/doc/book/security/managing-security/)
 * [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
 * [https://www.jenkins.io/doc/developer/security/secrets/](https://www.jenkins.io/doc/developer/security/secrets/)
+* [https://www.jenkins.io/blog/2019/02/21/credentials-masking/](https://www.jenkins.io/blog/2019/02/21/credentials-masking/)
+* [https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery](https://www.jenkins.io/doc/book/managing/security/#cross-site-request-forgery)
+* [https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials](https://www.jenkins.io/doc/developer/security/secrets/#encryption-of-secrets-and-credentials)
+* [https://www.jenkins.io/doc/book/managing/nodes/](https://www.jenkins.io/doc/book/managing/nodes/)
 
 <details>
 

pentesting-ci-cd/okta-security/README.md

@@ -16,11 +16,17 @@ Other ways to support HackTricks:
 
 ## Basic Information
 
-Okta, Inc. is an **identity and access management company** that provides cloud software to help companies **manage and secure user authentication into modern applications**, and for developers to build identity controls into applications, website web services and devices.
+[Okta, Inc.](https://www.okta.com/) is recognized in the identity and access management sector for its cloud-based software solutions. These solutions are designed to streamline and secure user authentication across various modern applications. They cater not only to companies aiming to safeguard their sensitive data but also to developers interested in integrating identity controls into applications, web services, and devices.
 
-Their core service, called the Okta Identity Cloud, offers products that include single sign-on (SSO), multi-factor authentication (MFA), lifecycle management, universal directory, API access management, and more. This helps companies to both protect their sensitive data and also streamline user access, making applications and services more accessible and easy to use for employees or customers.
+The flagship offering from Okta is the **Okta Identity Cloud**. This platform encompasses a suite of products, including but not limited to:
 
-Okta's services are widely used in enterprise contexts, as well as by smaller companies and developers. It plays a crucial role in enabling businesses to securely adopt and manage cloud technologies. As of my knowledge cutoff in September 2021, Okta remains a significant player in the Identity and Access Management (IAM) industry.
+- **Single Sign-On (SSO)**: Simplifies user access by allowing one set of login credentials across multiple applications.
+- **Multi-Factor Authentication (MFA)**: Enhances security by requiring multiple forms of verification.
+- **Lifecycle Management**: Automates user account creation, update, and deactivation processes.
+- **Universal Directory**: Enables centralized management of users, groups, and devices.
+- **API Access Management**: Secures and manages access to APIs.
+
+These services collectively aim to fortify data protection and streamline user access, enhancing both security and convenience. The versatility of Okta's solutions makes them a popular choice across various industries, beneficial to large enterprises, small companies, and individual developers alike. As of the last update in September 2021, Okta is acknowledged as a prominent entity in the Identity and Access Management (IAM) arena.
 
 {% hint style="danger" %}
 The main gola of Okta is to configure access to different users and groups to external applications. If you manage to **compromise administrator privileges in an Oktas** environment, you will highly probably able to **compromise all the other platforms the company is using**.