From S3 bucket to Jenkins credential dump

NCC Group performed a pentest against a web application, in which they leveraged anonymous access to discover a sitemap folder that turned out to be an S3 bucket with directory listing enabled. NCC identified a bash script containing a hardcoded Git credential, which granted access to a Jenkins server as a limited user, but the researchers managed to escalate their privileges to admin and then proceeded to dump credentials including AWS access tokens, SSH certificates and more.