Decrypting Bamboo 5.7 secret variables


The article describes how to decipher encrypted strings in an old (5.7.2) version of Bamboo. I don’t have access to other versions, so I am not able to tell if it works there too (it won’t work for the latest version). Please leave a comment if you were able to test it on other versions of Bamboo.

When we create a build plan or a deployment project in Bamboo we need to define tasks which compose it. Bamboo internally stores these task definitions in a database column as an XML blob. Some of the tasks, such as SSH or SCP, require a password to connect to the remote server. In this short post, I will show you how to decrypt such passwords. Although we will decipher the remote server password, it looks that Bamboo uses the same algorithm to encrypt other data too (for example, credentials to access the external code repositories).

Decrypting a remote server password

For our experiment, let’s create a deployment project with one environment, named Production. Let’s then add an SCP task as a part of the deploy, setting the Authentication type to the password, as on the image below:

After saving the environment definition, Bamboo will create a new row in the the DEPLOYMENT_ENVIRONMENT table. The XML_DEFINITION_DATA column will contain XML code similar to the one presented below:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<configuration xml:space="preserve">
  <taskDefinition>
    <id>1</id>
    ...
  </taskDefinition>
  <taskDefinition>
    <id>2</id>
    <userDescription>Fetch Code</userDescription>
    ...
  </taskDefinition>
  <taskDefinition>
    <id>3</id>
    <userDescription>Push Code</userDescription>
    <isEnabled>true</isEnabled>
    <pluginKey>com.atlassian.bamboo.plugins.bamboo-scp-plugin:scptask</pluginKey>
    <finalising>false</finalising>
    <rootDirectoryType>DEFAULT</rootDirectoryType>
    <repositoryDefiningWorkingDir>-1</repositoryDefiningWorkingDir>
    <config>
      <item>
        <key>username</key>
        <value>testuser</value>
      </item>
      <item>
        <key>artifactToScp</key>
        <value>-2:-1:-1:LOCAL_FILES</value>
      </item>
      <item>
        <key>useAntPattern</key>
        <value/>
      </item>
      <item>
        <key>host</key>
        <value>testhost</value>
      </item>
      <item>
        <key>passphrase</key>
        <value/>
      </item>
      <item>
        <key>localPath</key>
        <value>source-${bamboo.buildNumber}.tar</value>
      </item>
      <item>
        <key>authType</key>
        <value>PASSWORD</value>
      </item>
      <item>
        <key>remotePath</key>
        <value>/webs</value>
      </item>
      <item>
        <key>encPassword</key>
        <value>z5UW1TRekPj82ngVgMYtPw==</value>
      </item>
      <item>
        <key>verifyFingerprint</key>
        <value>false</value>
      </item>
    </config>
  </taskDefinition>
  <bambooDelimiterParsingDisabled>true</bambooDelimiterParsingDisabled>
</configuration>

As you can see the last taskDefition contains an item with a key encPassword. Its value is the base64-encoded value of our encrypted password. After having a look at the atlassian-bamboo-core-5.7.2.jar I found that the encryption key is hard-coded into the binaries 🙂 So the code to decrypt our password is quite simple:

import javax.crypto.*;
import javax.crypto.spec.*;
import javax.xml.bind.DatatypeConverter;

public class Decrypt {
    public static void main(String[] args) throws Exception {
        DESedeKeySpec myKeySpec = new DESedeKeySpec("Beetlejuice version $version (c) Copyright 2003-2005 Pols Consulting Limited".getBytes("UTF8"));
        SecretKeyFactory myKeyFactory = SecretKeyFactory.getInstance("DESede");

        SecretKey secretKey = myKeyFactory.generateSecret(myKeySpec);

        Cipher decrypter = Cipher.getInstance("DESede");
        decrypter.init(2, secretKey);

        byte[] data = DatatypeConverter.parseBase64Binary(args[0]);

        System.out.println(new String(decrypter.doFinal(data)));
    }
}

After compiling the code, we can decrypt our base64 string and learn the password:

$ java Decrypt z5UW1TRekPj82ngVgMYtPw==
testpasswd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.