Open in app

Sign in

Write

Sign in

Jenkins - Exploitation Is Everything

Jerry Shah (Jerry)
4 min readAug 23, 2020

I would like to share one of my findings related to Jenkins which I exploited using Groovy Script and got a shell back to my system.

Summary :

Jenkins is a self-contained, open source automation server which can be used to automate all sorts of tasks related to building, testing, and delivering or deploying software. Jenkins can be installed through native system packages, Docker, or even run standalone by any machine with a Java Runtime Environment (JRE) installed.

The Jenkins project was started in 2004 (originally called Hudson) by Kohsuke Kawaguchi, while he worked for Sun Microsystems. He created Jenkins as a way to perform Continuous Integration (CI) that is, to test his code before he did an actual commit to the repository, to be sure all was well.

What is Continuous Integration ?

Continuous Integration (CI) is a development practice where developers integrate code into a shared repository frequently, preferably several times a day. Each integration can then be verified by an automated build and automated tests. While automated testing is not strictly part of CI it is typically implied.

One of the key benefits of integrating regularly is that you can detect errors quickly and locate them more easily. As each change introduced is typically small, pinpointing the specific change that introduced a defect can be done quickly.

In recent years CI has become a best practice for software development and is guided by a set of key principles. Among them are revision control, build automation and automated testing.

How to Exploit ?

There many ways to exploit Jenkins however we are interested in Script Console because Jenkins has lovely Groovy script console that permits anyone to run arbitrary Groovy scripts inside the Jenkins master runtime.

Jenkins Groovy Script Console :

Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including :

  1. Create sub-processes and execute arbitrary commands on the Jenkins master and agents
  2. It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)
  3. Decrypt credentials configured within Jenkins
  4. Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins

What is a Groovy Script ?

Groovy can be used as a scripting language for the Java platform. It is almost like a super version of Java which offers Java’s enterprise capabilities. It also offers many productivity features like DSL support, closures, and dynamic typing.

Basically I searched a lot and I found this Github repository where the exploit code for Jenkins Script Console was available, all you need to do is just copy the code and paste it in the Jenkins Script Console.

The only change you need to do is, change String host=”localhost”; to String host=”<YourIPAddr>”;

How to find this vulnerability ?

  1. Go to your target website and run nmap to check for open ports
  2. If you find Jenkins port open then visit the URL
Jenkins

3. Now search for Script Console and paste the exploit in it

Groovy Script Console

4. Now change String host=”localhost”; to String host=”<YourIPAddr>”;

5. Start the netcat listener on your machine and then click on “Run” on the Script Console

6. You’ll get a shell back to your machine

Reverse Shell

Mitigation :

To prevent this vulnerability one should disable the Remoting-Based CLI. This script can be used to shut down CLI subsystem of Jenkins to protect Jenkins from a known vulnerability.

When the script is run from the Groovy script console (/script), this shuts down CLI subsystem of a running Jenkins without needing a restart.

When placed in $JENKINS_HOME/init.groovy.d/cli-shutdown.groovy it makes sure the protection stays in place after master restart.

To see if the mitigation is successfully applied, try running java -jar cli.jar -s $JENKINS_URL with cli.jar and make sure you get EOFException like the following:

java.io.EOFException
	at java.io.DataInputStream.readFully(DataInputStream.java:197)
	at java.io.DataInputStream.readUTF(DataInputStream.java:609)
	at java.io.DataInputStream.readUTF(DataInputStream.java:564)
	at hudson.cli.CLI.connectViaCliPort(CLI.java:232)
	at hudson.cli.CLI.<init>(CLI.java:128)
	at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72)
	at hudson.cli.CLI._main(CLI.java:479)
	at hudson.cli.CLI.main(CLI.java:390)
	Suppressed: java.io.IOException: https://ci.jenkins-ci.org/cli doesn't look like Jenkins
		at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:81)
		at hudson.cli.CLI.connectViaHttp(CLI.java:158)
		at hudson.cli.CLI.<init>(CLI.java:132)
		... 3 more
Bug Bounty
Hall Of Fame
Vulnerability
Hackerone
Bugcrowd

--

--

Jerry Shah (Jerry)

Written by Jerry Shah (Jerry)

4.3K Followers

|Penetration Tester| |Hack The Box| |Digital Forensics| |Malware Analysis|

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams