RCE Unsecure Jenkins Instance | Bug Bounty POC

Hi Guys,

Honestly i was just getting bored and the blog wasn’t updated ina while so i decided to write this  (Will share some more recent issues in a few days 🙂 )

 

So i want this Write Up to be concise.. to Let’s Just say I was checking subdomains of a site and  found a subdomain jenkins-thor.dosomething.org

so By Name i got that it Must be a Jenkins Instance so i opened that subdomain and got redirected to Github Login Page

 

But the jenkins instant lac any kind of security for user as i visited it i simply Asks me to login to jenkins Instant using my Github account, As soon as loged inn to your jenkins instant i had complete admin access to your jenkins instant, and i was on the Users Page Like

 

 

Now As Many of you guys already know that Jenkins Instance have a Script page where a user can go and Execute Groovy Script and You can also install a Plugin called Terminal for it

 

So running a simple script as

 

def command = “uname -a”
def proc = commadn.execute()
proc.waitfor()

println “Process exit code: ${proc.exitValue()}”
prinln “Std Err: ${proc.err.text}”
println “std Out: ${proc.in.text}”

or

String fileContents = new File(‘/etc/passwd’).getText(‘UTF-8’)

 

So this Groovy Script will execute the command

 

 

So At this point you can be sure that you have an RCE in the service and you can execute any script command you want So i did that just to be sure

 

 

 

 

So I wrote a Report related to it and Send it to the CTO of the website 🙂 and the issue was migrated Urgently

TakeOut:

  1. Make Your You set the permissions for your Jenkins Instance Properly
  2. Make sure only allow Trusted users to install plugins or using Groovy Script

Do read the Detailed Post by nahamsec https://nahamsec.com/secure-your-jenkins-instance-or-hackers-will-force-you-to/

Note: The Issue was Reported and is been Migrated the Blog was written after getting Permission from the CTO Matt ( https://twitter.com/mshmsh5000 ) 🙂 and also the site DoSomething Don;t have a Bug Bounty Program Anymore so Kindly avoid any kind of testing. 

 

Thanks for Reading ^_^

About the Author

Muhammad Khizer Javed

Ethical Hacker, Bug Bounty Hunter/ Pentester & Gamer

1 thought on “RCE Unsecure Jenkins Instance | Bug Bounty POC

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: