Typically on a penetration test there are several attacks the consultant will attempt first. These attacks generally are targeted at the “low-hanging fruit” such as systems with missing patches, or default/weak passwords. Once these few vulnerabilities have been ruled out, the consultant will begin to move on to more advanced attacks. On a recent Internal Penetration test, I found myself in a situation where I had not compromised a single system and my time on the assessment was beginning to come to an end. I looked through some output from a tool I had run earlier, hoping to notice a Tomcat or JBoss server that I had previously overlooked, when I noticed something new.
The server in question was running an application called Jenkins. Not being a developer, I had no idea what Jenkins actually was or what it was used for. Upon investigating, I discovered that it is an application for the continuous integration of code into projects. After exploring the application I discovered it contained the functionality to execute arbitrary Groovy scripts on the server. I crafted and executed a Groovy script that would add a local administrator to the server. Ultimately, that was the foothold I needed to completely compromise the internal network and obtain the trophies for the Assessment. After my assessment, I mentioned Jenkins to the rest of the SecureState’s Profiling team, none of whom had encountered it before. By the week’s end another consultant had successfully exploited a Jenkins server on their next assessment.
Allowing an unauthenticated user to execute code on one of your systems is never a good idea. In its default state, Jenkins could be used as a rudimentary web shell due to its ability to execute Java as well as Groovy code. However, penetration testers typically opt for a Meterpreter session whenever possible due to its increased functionality. Spencer McIntyre of SecureState’s Research and Innovation team recently created a Metasploit module to exploit this vulnerability. This exploit module uses the Jenkins script console to execute OS commands using Java. While Jenkins is not configured to use authentication by default, the module will accept a username and password if necessary. Additionally, it is multiplatform, supporting Meterpreter payloads on both Windows and Linux. This exploit module was recently accepted into the Metasploit framework.
Every penetration tester knows that there is no shortage of ways to compromise a server, but it never hurts to have something else in your bag of tricks. If you are a conducting a penetration test, keep an eye open for Jenkins on your next assessment. If you are a Jenkins user, now would be a good time to lock it down.
SecureState’s Metasploit module can be found here.
More information about Jenkins can be found here.
More information about Leeroy Jenkins can be found here.