Jenkins Docker Breakout: Simple Exploit Revealed #shorts

That is the C2. So, it still doesn't really answer how did I get to the Jenkins server cuz now we're talking like code execution on the actual underlying Jenkins server. Uh if we look at what runs there, we see that they use Docker to run jobs. And we see that some time ago someone figured that those Docker containers need network access because they need to be able to talk to a bunch of different stuff during the build. They need to pull dependencies and whatever. So, someone put it on the default Docker network, which means that from the Docker container you're able to access localhost where you have the Jenkins server running. So, that's just like the simplest Docker

breakout ever, right? They're just able to access localhost and then uh get access, assuming they have the credentials, of course. Um which we'll get to later. So, next question would be then, so how did I get to this Docker container? It's not like these are just internet exposed, right? They can't just find a vulnerability and just land there. Uh these are something that's spun up and they're fairly isolated. I mean, they can talk out, but there is no like listener from coming from the outside. So, we're going to go through a few different techniques that I've seen to compromise that kind of container. And one of them we saw this weird log uh with an error in the uh pip file. So,

basically, pip, you know, in if in Python you use pip to sync the like it's a dependency manager. So, we see that it downloaded 9999999, which is a bit weird uh because this was an internal package for the customer.