September 7, 2018
Share

RCE Unsecure Jenkins Instance | Bug Bounty POC

by

Hi Guys,

Honestly i was just getting bored and the blog wasn’t updated ina while so i decided to write this  (Will share some more recent issues in a few days 🙂 )

 

So i want this Write Up to be concise.. to Let’s Just say I was checking subdomains of a site and  found a subdomain jenkins-thor.dosomething.org

so By Name i got that it Must be a Jenkins Instance so i opened that subdomain and got redirected to Github Login Page

 

But the jenkins instant lac any kind of security for user as i visited it i simply Asks me to login to jenkins Instant using my Github account, As soon as loged inn to your jenkins instant i had complete admin access to your jenkins instant, and i was on the Users Page Like

 

 

Now As Many of you guys already know that Jenkins Instance have a Script page where a user can go and Execute Groovy Script and You can also install a Plugin called Terminal for it

 

So running a simple script as

 

def command = “uname -a”
def proc = commadn.execute()
proc.waitfor()

println “Process exit code: ${proc.exitValue()}”
prinln “Std Err: ${proc.err.text}”
println “std Out: ${proc.in.text}”

or

String fileContents = new File(‘/etc/passwd’).getText(‘UTF-8’)

 

So this Groovy Script will execute the command

 

 

So At this point you can be sure that you have an RCE in the service and you can execute any script command you want So i did that just to be sure

 

 

 

 

So I wrote a Report related to it and Send it to the CTO of the website 🙂 and the issue was migrated Urgently

TakeOut:

  1. Make Your You set the permissions for your Jenkins Instance Properly
  2. Make sure only allow Trusted users to install plugins or using Groovy Script

Do read the Detailed Post by nahamsec https://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/

Note: The Issue was Reported and is been Migrated the Blog was written after getting Permission from the CTO Matt ( https://twitter.com/mshmsh5000 ) 🙂 and also the site DoSomething Don;t have a Bug Bounty Program Anymore so Kindly avoid any kind of testing. 

 

Thanks for Reading ^_^

Discover more from Security Breached Blog

Subscribe to get the latest posts sent to your email.

Tags:

MuhammadKhizerJaved

Dedicated and seasoned cybersecurity professional with over 8 years of active engagement in Bug Bounty Hunting, complemented by 4 years of experience as a Penetration Tester. Skilled in web and mobile application security testing and vulnerability assessment, I am actively involved in platforms like HackerOne and Bugcrowd. My contributions in the Bug Bounty arena have been recognized by over 200 reputable organizations, including Apple, Google, Facebook, The Government of Singapore, and The US Department of Defense. As an advocate for community growth, I actively contribute as a speaker, conducting sessions in local universities and presenting talks at various security conferences, both locally and internationally, including twice at BlackHat MEA, With a passion for growth, Always happy to connect with fellow security practitioners.

One reply on “RCE Unsecure Jenkins Instance | Bug Bounty POC”

    • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    You may also like