From 6803a9b286ebe8f249510b841715d43b13a681af Mon Sep 17 00:00:00 2001
From: Robert Dick <robert@doyensec.com>
Date: Sat, 2 May 2026 02:26:25 -0400
Subject: [PATCH 1/2] added exposedui testbed

---
 jenkins/exposedui/Dockerfile         | 13 ++++++++++
 jenkins/exposedui/README.md          | 38 ++++++++++++++++++++++++++++
 jenkins/exposedui/config.xml         | 36 ++++++++++++++++++++++++++
 jenkins/exposedui/docker-compose.yml | 16 ++++++++++++
 4 files changed, 103 insertions(+)
 create mode 100644 jenkins/exposedui/Dockerfile
 create mode 100644 jenkins/exposedui/README.md
 create mode 100644 jenkins/exposedui/config.xml
 create mode 100644 jenkins/exposedui/docker-compose.yml

diff --git a/jenkins/exposedui/Dockerfile b/jenkins/exposedui/Dockerfile
new file mode 100644
index 00000000..b6bd3755
--- /dev/null
+++ b/jenkins/exposedui/Dockerfile
@@ -0,0 +1,13 @@
+FROM jenkins/jenkins:2.562
+
+# Switch to root to modify files if needed
+USER root
+
+# Copy your custom config.xml into Jenkins home
+COPY config.xml /var/jenkins_home/config.xml
+
+# Fix permissions (important!)
+RUN chown jenkins:jenkins /var/jenkins_home/config.xml
+
+# Switch back to Jenkins user
+USER jenkins
diff --git a/jenkins/exposedui/README.md b/jenkins/exposedui/README.md
new file mode 100644
index 00000000..61de291f
--- /dev/null
+++ b/jenkins/exposedui/README.md
@@ -0,0 +1,38 @@
+# Jenkins Exposed UI
+
+This testbed creates two Jenkins 2.562 instances, one with the setup wizard disabled and anyone allowed to do anything (http://localhost:8081/), and one with default config (http://localhost:8082/).
+
+## Confirming the vulnerability
+
+```
+docker compose up
+```
+
+### Vulnerable
+```
+curl http://localhost:8081/
+```
+
+```
+...
+<title>Dashboard - Jenkins</title>
+...
+```
+
+### Safe
+```
+curl http://localhost:8082/
+```
+
+Response:
+```
+...
+Authentication required
+<!--
+You are authenticated as: anonymous
+Groups that you are in:
+  anonymous
+Permission you need to have (but didn't): hudson.model.Hudson.Administer
+-->
+...
+```
\ No newline at end of file
diff --git a/jenkins/exposedui/config.xml b/jenkins/exposedui/config.xml
new file mode 100644
index 00000000..ba2dc4b8
--- /dev/null
+++ b/jenkins/exposedui/config.xml
@@ -0,0 +1,36 @@
+<?xml version='1.1' encoding='UTF-8'?>
+<hudson>
+  <disabledAdministrativeMonitors/>
+  <version>2.562</version>
+  <numExecutors>2</numExecutors>
+  <mode>NORMAL</mode>
+  <useSecurity>true</useSecurity>
+  <authorizationStrategy class="hudson.security.AuthorizationStrategy$Unsecured"/>
+  <securityRealm class="hudson.security.SecurityRealm$None"/>
+  <disableRememberMe>false</disableRememberMe>
+  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
+  <workspaceDir>${JENKINS_HOME}/workspace/${ITEM_FULL_NAME}</workspaceDir>
+  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
+  <markupFormatter class="hudson.markup.EscapedMarkupFormatter"/>
+  <jdks/>
+  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
+  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
+  <clouds/>
+  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
+  <views>
+    <hudson.model.AllView>
+      <owner class="hudson" reference="../../.."/>
+      <name>all</name>
+      <filterExecutors>false</filterExecutors>
+      <filterQueue>false</filterQueue>
+      <properties class="hudson.model.View$PropertyList"/>
+    </hudson.model.AllView>
+  </views>
+  <primaryView>all</primaryView>
+  <slaveAgentPort>50000</slaveAgentPort>
+  <label></label>
+  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer"/>
+  <nodeProperties/>
+  <globalNodeProperties/>
+  <nodeRenameMigrationNeeded>false</nodeRenameMigrationNeeded>
+</hudson>
diff --git a/jenkins/exposedui/docker-compose.yml b/jenkins/exposedui/docker-compose.yml
new file mode 100644
index 00000000..2c1c24a8
--- /dev/null
+++ b/jenkins/exposedui/docker-compose.yml
@@ -0,0 +1,16 @@
+version: "3.8"
+
+services:
+  jenkins-vuln:
+    build: .
+    container_name: jenkins-vuln
+    ports:
+      - "8081:8080"
+    environment:
+      - JAVA_OPTS=-Djenkins.install.runSetupWizard=false
+
+  jenkins-safe:
+    image: jenkins/jenkins:2.562
+    container_name: jenkins-safe
+    ports:
+      - "8082:8080"

From da3e572675693a298d7ec8a33704f6a2e7d56fcb Mon Sep 17 00:00:00 2001
From: Robert Dick <robert@doyensec.com>
Date: Wed, 3 Jun 2026 03:33:00 -0400
Subject: [PATCH 2/2] clarified testbed

---
 jenkins/exposedui/README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/jenkins/exposedui/README.md b/jenkins/exposedui/README.md
index 61de291f..ef114dd7 100644
--- a/jenkins/exposedui/README.md
+++ b/jenkins/exposedui/README.md
@@ -2,6 +2,8 @@
 
 This testbed creates two Jenkins 2.562 instances, one with the setup wizard disabled and anyone allowed to do anything (http://localhost:8081/), and one with default config (http://localhost:8082/).
 
+The default config, with the setup screen, requires a password which is output to the terminal on first boot, and allows configuring authentication during setup (or makes a default admin user with the same password).
+
 ## Confirming the vulnerability
 
 ```
@@ -35,4 +37,4 @@ Groups that you are in:
 Permission you need to have (but didn't): hudson.model.Hudson.Administer
 -->
 ...
-```
\ No newline at end of file
+```