Jenkins and OS Command Execution via Build

Hi Friends đŸ™‚

I would like to share another tutorial for penetration testing on utilizing Jenkins build capability to allow you to do OS command execution.

Jenkins is a well know opensource automation platform for building, deployment and many other automation.

To keep this tutorial short, lets assume that you have found a jenkins server during your penetration testing, You want to leverage the attack by compromising the server. We can weaponize the build functionality that is provided by jenkins to do OS command execution

First you need to have a login to the jenkins server either by creating new user or stealing someone’s account that you found during the enumeration. In this scenario my account is netman

There are two ways to weaponze the jenkins build, Trigger builds remotely and Build periodically. I will use Trigger builds remotely in this post

Configure the Build

Lets create a build configuration. Click on the New Item in the Jenkins dashboard

New page will be shown to you to give the build name, I give the name proj2 the type is Freestyle project and press OK

A new page will be shown where we can configure the details build project. Lets go to the Build tab

In the section build trigger, We need to select Trigger builds remotely so that we can control when the build script will be started.

With the Trigger build remotely, it allows us to trigger the build via the http API. To call the API, there is token authentication required

Copy the token that was generated for your account into the Authentication Token

Scripting the OS Command

The next step is to configure the build script, In the build section, We need to Add build step, I am targetting windows machine in this scenario hence the code must follow the windows os command standard

The command that we want to execute would look like below, I would like to try to find what is the account which jenkins server is running. Be creative with the command, It is just like executing in the command prompt. You can also run powershell if the OS supports it.

After you finish with the OS command that the jenkins server need to run then you need to save it

Triggering the Build

That is all the step that you need to follow to create the build. The next is how to trigger the build so that the jenkins will execute the OS command that you put above

Since we are using the remote trigger to run the build, we need to call the API which look like below

curl 'http://netman:1180657b1ca534670a9bdc57cd919cebd9@object.htb:8080/job/proj2/build?token=1180657b1ca534670a9bdc57cd919cebd9'
  1. Jenkins username
  2. Auth Token
  3. Build name
  4. Auth Token
  5. Hostname

You can trigger the build process with the curl command above.

Viewing the Result

To view the build or command execution, You must go to the dashboard where you can view all the build project as below image

You can click on the proj2 to go to the details.

Click on the #1 to see the detail result of the execution, Click on the Console Output

Generating Authentication Token

Below are the steps to generate the Jenkins authentication token to be used for remote trigger build.

  1. Go to your account details

2. Click on configure

3. Generate Token

4. Copy the token

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s