Some scripts to enumerate and attack Jenkins servers
This script can enumerate 26 different URLs and check if the user can access them.
If no user is especified, it will try perform authentication as the anonymous user.
This can be used to perform a dictionary attack to obtain possible usernames.
Either if Jenkins is configured to use local user database or Active Directory.
These scripts takes the advantage of CVE-2024-23897 vulnerability, which allows an unauthenticated user (anonymous) to read local files stored in the server. This a "Local File Inclusion (LFI)" vulnerability.
This script can download hudson.util.Secret and master.key without Anonymous Overall/Read permissions.
If access is available, also retrieve credentials from the credentials.xml file and decrypt the passwords.
Works on Jenkins installed on Windows and with Java 17 or 11. On Java 21 or Linux, certain configuration is needed.
This script can retrieve the initialAdminPassword which is used when Jenkins is installed.
If Admin user were not deleted and initial password not changed, this should work to login as admin.
Anonymous Overall/Read permissions are not necessary.
This script search for user's credentials and execute a Groovy script with the desired OS command.
Anonymous Overall/Read permissions are necessary.
This script search for user's credentials and create a JOB to execute a reverse shell.
Anonymous Overall/Read permissions are necessary.
This script search for user's credentials and extract them to perform offline password cracking.
Anonymous Overall/Read permissions are necessary.
These scripts are ported from a Metasploit exploit written in Ruby.
Jenkins 2.150.2 - Remote Command Execution (Metasploit)
Get a Powershell reverse shell from Windows-based Jenkins server using a Powershell base64 encoded payload.
This script use the "Execute Windows batch command" job type.
Get a Powershell reverse shell from Windows-based Jenkins server using a NodeJS script payload.
This script use the "Execute NodeJS script" job type.
Get a Powershell reverse shell from Windows-based Jenkins server using a Groovy script payload.
This script use a "Pipeline script" job type.
Get a Bash reverse shell from Linux-based Jenkins server using a Bash base64 encoded payload.
This script use the "Execute shell" job type.
Get a Bash reverse shell from Linux-based Jenkins server using a NodeJS script payload.
This script use the "Execute NodeJS script" job type.
Get a Bash reverse shell from Linux-based Jenkins server using a Groovy script payload.
This script use a "Pipeline script" job type.
HackTricks - Boitatech
Github - Carlos Polop
Github - Jenkins Attack Framework
Github - Pwn-Jenkins