Retrieving credentials from Jenkins

Have you ever stored a password in Jenkins, only to forget later on what the value is? You might try logging it from inside an existing job, but you’ll find that Jenkins goes out of its way to mask that value from you (and any potential attackers!)

There’s a sneaky way to get those credentials out of a Jenkins agent that requires only a little bit of wrangling. It may be possible to lock this down, I haven’t looked, so it’s good to be aware of it, in order to consider the security implications too.

credential view
credential update
inspect element
credential hash
script console
final result

It’s a pretty handy trick, but quite obviously a borderline exploit at the same time. It’s up to you to use it responsibly!