djhohnstein · March 30, 2021 18:15
diff --git a/jenkinsBuildEnvVars.py b/jenkinsBuildEnvVars.py
 import sys

 try:
  import re
  import base64
  from hashlib import sha256
  from binascii import hexlify, unhexlify
  from Crypto.Cipher import AES
  from xml.dom import minidom
  from pprint import pprint
  import csv
  import os
  from glob import glob
 except Exception as e:
  print("Exception during import: {}".format(e))
  sys.exit(0)

 MAGIC = b"::::MAGIC::::"

 def usage():
  print("./jenkinsBuildEnvVars.py <path to jenkins home>")
  sys.exit(0)

 def decryptNewPassword(secret, p):
  p = p[1:] #Strip the version

  # Get the length of the IV, almost certainly 16 bytes, but calculating for completeness sake
  iv_length = ((p[0] & 0xff) << 24) | ((p[1] & 0xff) << 16) | ((p[2] & 0xff) << 8) | (p[3] & 0xff)

  # Strip the iv length
  p = p[4:]

  # Get the data length
  data_length = ((p[0] & 0xff) << 24) | ((p[1] & 0xff) << 16) | ((p[2] & 0xff) << 8) | (p[3] & 0xff)

  # Strip the data length
  p = p[4:]

  iv = p[:iv_length]

  p = p[iv_length:]

  o = AES.new(secret, AES.MODE_CBC, iv)

  decrypted_p = o.decrypt(p)

  # We may need to strip PKCS7 padding
  fully_decrypted_blocks = decrypted_p[:-16]
  possibly_padded_block = decrypted_p[-16:]
  padding_length = possibly_padded_block[-1]
  if padding_length <= 16: # Less than size of one block, so we have padding
    possibly_padded_block = possibly_padded_block[:-padding_length]

  pw = fully_decrypted_blocks + possibly_padded_block
  pw = pw.decode('utf-8')
  return pw

 def decryptOldPassword(secret, p):
  # Copying the old code, I have not verified if it works
  o = AES.new(secret, AES.MODE_ECB)
  x = o.decrypt(p)
  assert MAGIC in x
  return re.findall('(.*)' + MAGIC, x)[0]

 def main():
  try:
    if len(sys.argv) != 2:
      usage()

    if not os.path.isdir(sys.argv[1]):
      print("[-] Could not find directory: {}".format(sys.argv[1]))
      return

    masterKeyPath = os.path.join(sys.argv[1], "secrets/master.key")
    hudsonKeyPath = os.path.join(sys.argv[1], "secrets/hudson.util.Secret")


    if not os.path.isfile(masterKeyPath) or not os.path.isfile(hudsonKeyPath):
      print("[-] Could not find one of {} or {}".format(masterKeyPath, hudsonKeyPath))
      return

    master_key = open(masterKeyPath, 'rb').read()
    hudson_secret_key = open(hudsonKeyPath, 'rb').read()
    hashed_master_key = sha256(master_key).digest()[:16]
    o = AES.new(hashed_master_key, AES.MODE_ECB)
    secret = o.decrypt(hudson_secret_key)

    secret = secret[:-16]
    secret = secret[:16]


    jobsPath = os.path.join(sys.argv[1], "jobs")

    jobs = glob(os.path.join(jobsPath, "*/"))


    for jobDir in jobs:
      lastSuccessful = os.path.join(jobDir, "lastSuccessful")
      lastInjectedEnvVars = os.path.join(lastSuccessful, "injectedEnvVars.txt")
      configPath = os.path.join(jobDir, "config.xml")
      try:
        configDoc = minidom.parse(configPath)
        arrayList = configDoc.getElementsByTagName("EnvInjectPasswordEntry")
        password_dict = {}
        for node in arrayList:
          name = node.getElementsByTagName("name")[0]
          val = node.getElementsByTagName("value")[0]
          enc_value = val.firstChild.nodeValue
          if enc_value[0] == "{" and enc_value[-1] == "}":
            enc_value = enc_value[1:-1]
          p = base64.decodestring(bytes(enc_value, 'utf-8'))
          payload_version = p[0]
          if payload_version == 1:
            password_dict[name.firstChild.nodeValue] = decryptNewPassword(secret, p)
          else:  # Assuming we don't have a V2 payload, seeing as current crypto isn't horrible that's a fair assumption
            password_dict[name.firstChild.nodeValue] = decryptOldPassword(secret, p)
        with open(lastInjectedEnvVars, "r") as f:
          envvarsLines = [l.strip() for l in f.readlines() if l.strip()]
        print("Environment variables for: {}".format(jobDir))
        for l in envvarsLines:
          parts = l.split("=")
          if parts[0] in password_dict.keys():
            print("{}={}".format(parts[0], password_dict[parts[0]]))
          else:
            print(l)
        print("")
        print("")
      except Exception as e:
        print("Error occurred while parsing job: {}".format(e))
  except Exception as e:
    print("Error while in main: {}".format(e))

 if __name__ == "__main__":
  main()
	import sys

	try:
	import re
	import base64
	from hashlib import sha256
	from binascii import hexlify, unhexlify
	from Crypto.Cipher import AES
	from xml.dom import minidom
	from pprint import pprint
	import csv
	import os
	from glob import glob
	except Exception as e:
	print("Exception during import: {}".format(e))
	sys.exit(0)

	MAGIC = b"::::MAGIC::::"

	def usage():
	print("./jenkinsBuildEnvVars.py <path to jenkins home>")
	sys.exit(0)

	def decryptNewPassword(secret, p):
	p = p[1:] #Strip the version

	# Get the length of the IV, almost certainly 16 bytes, but calculating for completeness sake
	iv_length = ((p[0] & 0xff) << 24) \| ((p[1] & 0xff) << 16) \| ((p[2] & 0xff) << 8) \| (p[3] & 0xff)

	# Strip the iv length
	p = p[4:]

	# Get the data length
	data_length = ((p[0] & 0xff) << 24) \| ((p[1] & 0xff) << 16) \| ((p[2] & 0xff) << 8) \| (p[3] & 0xff)

	# Strip the data length
	p = p[4:]

	iv = p[:iv_length]

	p = p[iv_length:]

	o = AES.new(secret, AES.MODE_CBC, iv)

	decrypted_p = o.decrypt(p)

	# We may need to strip PKCS7 padding
	fully_decrypted_blocks = decrypted_p[:-16]
	possibly_padded_block = decrypted_p[-16:]
	padding_length = possibly_padded_block[-1]
	if padding_length <= 16: # Less than size of one block, so we have padding
	possibly_padded_block = possibly_padded_block[:-padding_length]

	pw = fully_decrypted_blocks + possibly_padded_block
	pw = pw.decode('utf-8')
	return pw

	def decryptOldPassword(secret, p):
	# Copying the old code, I have not verified if it works
	o = AES.new(secret, AES.MODE_ECB)
	x = o.decrypt(p)
	assert MAGIC in x
	return re.findall('(.*)' + MAGIC, x)[0]

	def main():
	try:
	if len(sys.argv) != 2:
	usage()

	if not os.path.isdir(sys.argv[1]):
	print("[-] Could not find directory: {}".format(sys.argv[1]))
	return

	masterKeyPath = os.path.join(sys.argv[1], "secrets/master.key")
	hudsonKeyPath = os.path.join(sys.argv[1], "secrets/hudson.util.Secret")


	if not os.path.isfile(masterKeyPath) or not os.path.isfile(hudsonKeyPath):
	print("[-] Could not find one of {} or {}".format(masterKeyPath, hudsonKeyPath))
	return

	master_key = open(masterKeyPath, 'rb').read()
	hudson_secret_key = open(hudsonKeyPath, 'rb').read()
	hashed_master_key = sha256(master_key).digest()[:16]
	o = AES.new(hashed_master_key, AES.MODE_ECB)
	secret = o.decrypt(hudson_secret_key)

	secret = secret[:-16]
	secret = secret[:16]


	jobsPath = os.path.join(sys.argv[1], "jobs")

	jobs = glob(os.path.join(jobsPath, "*/"))


	for jobDir in jobs:
	lastSuccessful = os.path.join(jobDir, "lastSuccessful")
	lastInjectedEnvVars = os.path.join(lastSuccessful, "injectedEnvVars.txt")
	configPath = os.path.join(jobDir, "config.xml")
	try:
	configDoc = minidom.parse(configPath)
	arrayList = configDoc.getElementsByTagName("EnvInjectPasswordEntry")
	password_dict = {}
	for node in arrayList:
	name = node.getElementsByTagName("name")[0]
	val = node.getElementsByTagName("value")[0]
	enc_value = val.firstChild.nodeValue
	if enc_value[0] == "{" and enc_value[-1] == "}":
	enc_value = enc_value[1:-1]
	p = base64.decodestring(bytes(enc_value, 'utf-8'))
	payload_version = p[0]
	if payload_version == 1:
	password_dict[name.firstChild.nodeValue] = decryptNewPassword(secret, p)
	else: # Assuming we don't have a V2 payload, seeing as current crypto isn't horrible that's a fair assumption
	password_dict[name.firstChild.nodeValue] = decryptOldPassword(secret, p)
	with open(lastInjectedEnvVars, "r") as f:
	envvarsLines = [l.strip() for l in f.readlines() if l.strip()]
	print("Environment variables for: {}".format(jobDir))
	for l in envvarsLines:
	parts = l.split("=")
	if parts[0] in password_dict.keys():
	print("{}={}".format(parts[0], password_dict[parts[0]]))
	else:
	print(l)
	print("")
	print("")
	except Exception as e:
	print("Error occurred while parsing job: {}".format(e))
	except Exception as e:
	print("Error while in main: {}".format(e))

	if __name__ == "__main__":
	main()