Hi Friends đŸ™‚
I would like to share another tutorial for penetration testing on utilizing Jenkins build capability to allow you to do OS command execution.
Jenkins is a well know opensource automation platform for building, deployment and many other automation.
To keep this tutorial short, lets assume that you have found a jenkins server during your penetration testing, You want to leverage the attack by compromising the server. We can weaponize the build functionality that is provided by jenkins to do OS command execution
First you need to have a login to the jenkins server either by creating new user or stealing someone’s account that you found during the enumeration. In this scenario my account is netman
There are two ways to weaponze the jenkins build, Trigger builds remotely and Build periodically. I will use Trigger builds remotely in this post
Configure the Build
Lets create a build configuration. Click on the New Item in the Jenkins dashboard
New page will be shown to you to give the build name, I give the name proj2 the type is Freestyle project and press OK
A new page will be shown where we can configure the details build project. Lets go to the Build tab
In the section build trigger, We need to select Trigger builds remotely so that we can control when the build script will be started.
With the Trigger build remotely, it allows us to trigger the build via the http API. To call the API, there is token authentication required
Copy the token that was generated for your account into the Authentication Token
Scripting the OS Command
The next step is to configure the build script, In the build section, We need to Add build step, I am targetting windows machine in this scenario hence the code must follow the windows os command standard
The command that we want to execute would look like below, I would like to try to find what is the account which jenkins server is running. Be creative with the command, It is just like executing in the command prompt. You can also run powershell if the OS supports it.
After you finish with the OS command that the jenkins server need to run then you need to save it
Triggering the Build
That is all the step that you need to follow to create the build. The next is how to trigger the build so that the jenkins will execute the OS command that you put above
Since we are using the remote trigger to run the build, we need to call the API which look like below
curl 'http://netman:1180657b1ca534670a9bdc57cd919cebd9@object.htb:8080/job/proj2/build?token=1180657b1ca534670a9bdc57cd919cebd9'
- Jenkins username
- Auth Token
- Build name
- Auth Token
- Hostname
You can trigger the build process with the curl command above.
Viewing the Result
To view the build or command execution, You must go to the dashboard where you can view all the build project as below image
You can click on the proj2 to go to the details.
Click on the #1 to see the detail result of the execution, Click on the Console Output
Generating Authentication Token
Below are the steps to generate the Jenkins authentication token to be used for remote trigger build.
- Go to your account details
2. Click on configure
3. Generate Token
4. Copy the token
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 