Identify the user that has privileged access to manage agents. Looking at the list of Jenkins users shows a short list of users, one of them is Knave - whose description reveals that it is an agents admin. Sounds like a place to start from.
The users in the Jenkins instance are managed by Jenkins’ own user database, which lacks basic security controls against various types of attacks. It means that you can brute force the Knave user to find its password. Then, you’d be able to create a new agent and exfiltrate the System credentials by making Jenkins send it to your server.
-
Login to Jenkins with alice.
-
Browse to the People page on the top left corner and click on Knave to read its description, which reveals that it has permissions to manage Jenkins agents.
-
Brute force Knave’s password on Jenkins. You can use the Rockyou list. Password is rockme. Login with Knave.
-
Click one of the agents on the left panel, then click Nodes at the top bar and create a new node.
-
Setup an SSH server that can log credentials on login attempts, using a project like this. Guide for installing the tool can be found here.
-
Configure a new node with the following settings:
-
Read the logs using
sudo tail -f /var/log/auth.log
Note: The SSH server can also be created locally by setting up the ssh-mitm container in the "goat" network using docker network connect.