Jenkins Attacks

• Jenkins runs on Tomcat port 8080 by default.

  • It also utilizes port 5000 to attach slave servers.

    • This port is used to communicate between masters and slaves

• Jenkins can use a local database, LDAP, Unix user database, delegate security to a servlet container, or use no authentication at all

  • Administrators can also allow or disallow users from creating accounts.

  • default credentials

    • admin:admin

Script Console

• The script console can be reached at the URL http://jenkins.inlanefreight.local:8000/script

  • This console allows a user to run Apache Groovy scripts, which are an object-oriented Java-compatible language

  • For example, we can use the following snippet to run the id command.

def cmd = 'id'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

http://jenkins.inlanefreight.local:8000/script

• There are various ways that access to the script console can be leveraged to gain a reverse shell.

  • For example, using the command below, or this Metasploit module.

• Against a Windows host, we could attempt to add a user and connect to the host via RDP or WinRM or, to avoid making a change to the system, use a PowerShell download cradle with Invoke-PowerShellTcp.ps1.

• We could run commands on a Windows-based Jenkins install using this snippet:

• We could also use this Java reverse shell to gain command execution on a Windows host, swapping out localhost and the port for our IP address and listener port.