Jenkins
Last updated
Last updated
In order to search for interesting Jenkins pages without authentication like (/people or /asynchPeople, this lists the current users) you can use:
Check if you can execute commands without needing authentication:
Without credentials you can look inside /asynchPeople/ path or /securityRealm/user/admin/search/index?q= for usernames.
You may e ale to get the Jenkins version from the path /oops or /error
Jekins does not implement any password policy or username brute-force mitigation. Then, you should always try to brute-force users because probably weak passwords are being used (even usernames as passwords or reverse usernames as passwords).
There are 3 ways to get code execution with Jenkins.
This method is very noisy because you have to create a hole new project (obviously this will only work if you user is allowed to create a new project).
Create a new project (Freestyle project)
Inside Build section set Execute shell and paste a powershell Empire launcher or a meterpreter powershell (can be obtained using unicorn). Start the payload with PowerShell.exe instead using powershell.
Click Build now
****
Go to the projects and check if you can configure any of them (look for the "Configure button"):
Or try to access to the path /configure in each project (example: /me/my-views/view/all/job/Project0/configure).
If you are allowed to configure the project you can make it execute commands when a build is successful:
Click on Save and build the project and your command will be executed. If you are not executing a reverse shell but a simple command you can see the output of the command inside the output of the build.
Best way. Less noisy.
Go to path_jenkins/script
Inside the text box introduce the script
You could execute a command using: cmd.exe /c dir
In linux you can do: "ls /".execute().text
If you need to use quotes and single quotes inside the text. You can use """PAYLOAD""" (triple double quotes) to execute the payload.
Another useful groovy script is (replace [INSERT COMMAND]):
You can prepare a HTTP server with a PS reverse shell and use Jeking to download and execute it:
You can use MSF to get a reverse shell:
Dump Jenkins credentials using: