9. Key Takeaways
● Know your boundaries : If you think that the data you’ve got access wasn’t meant to be
accessible to you and was meant to be private, STOP. Take written permission from the company
before testing any further.
● Automate them all : Let machines take over ( The mundane tasks only ). While I had
automated the screenshot part, I was also checking for RCE on Jenkins on these instances ( i.e.
Jenkins instances with open Script Console and I did get quite a few )
● Don’t presume anything : Now, usually Jenkins replaces secrets with asterisks but it can’t
mask the tool output and as in this case the zookeeper was leaking the credentials.
● No secret sauce : Bugs are simple, persistence is the key.