Presentation Material
Abstract
Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker’s perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
Popular CI tools, open source as well as proprietary will be the targets. The talk will be full of live demonstrations.
AI Generated Summary
This talk examined critical security vulnerabilities in widely deployed continuous integration (CI) tools, including Jenkins, TeamCity, and GoCD. The research focused on common misconfigurations and design flaws that allow attackers to achieve lateral movement and credential theft within enterprise networks.
Key findings revealed that default installations of these tools frequently lack authentication, are vulnerable to brute-force attacks due to weak or absent password policies, and store sensitive credentials—such as cloud access keys and database passwords—in plaintext on disk. A central attack vector was the ability for users with limited privileges (e.g., project developers) to configure build steps that execute commands with system-level privileges on the CI server master or its agents. This “build step abuse” could be used to remove security configurations, retrieve stored secrets from master files, or establish reverse shells. Specific demonstrations included extracting AWS credentials from Jenkins’ credentials.xml file, abusing a “super user” token in TeamCity’s teamcity-server.log to gain administrative access, and exploiting GoCD’s pipeline configuration to execute commands as a high-privilege user.
The practical implication is that a compromised CI tool represents a substantial risk, often providing a direct path to domain administrator privileges or full intellectual property theft. The speaker emphasized that these are not obscure flaws but common conditions observed in numerous public-facing and internal deployments. Defenders must treat CI servers as high-value assets, enforce strict authentication and password policies, audit build step permissions, and securely manage secrets using dedicated vaults rather than relying on the tools’ native, often insecure, storage mechanisms. The attacks demonstrated are reliable techniques for both external and internal penetration testing engagements.