InfoSec LAB

Home

❯

HTB

❯

Object

❯

2 Enumeration

❯

Object_Jenkins

Created: Feb 15th 20243 min read

Object
HTB
Network
Windows
Active_Directory
Web
Jetty
Jenkins
Automation
Misconfiguration
CD/CI
Pipeline
RCE

Creating A Malicious Project

As discovered previously, the Jenkins instance hosted over the Web server on the target port 8080 allows essentially anyone to create a build, which will likely be executed by the listed node

Here, I will attempt to create a malicious project that would perform code execution on the target system

I will first give it a name, RCE, and select the Freestyle project

A brief description

While there are a lot of options available for build trigger, I will go with the Trigger builds remotely option and give it a token; iamatoken navigating to the http://object.htb:8080/job/RCE/build?token=iamatoken would later trigger the build

Additionally, this could be changed to other options, such as Build periodically, to control the flow of code execution at a later stage

Now, here is the Build itself and code execution comes down to the following 2 options;

execute windows batch command:
- This option is intended for running Windows batch scripts or commands.
- It will use the Windows Command Prompt (cmd.exe) as the shell environment.
- If your commands are Windows-specific or written in batch scripting, this is the option to choose.
execute shell:
- This option is intended for running Unix/Linux shell commands or scripts.
- It will use a Unix-like shell, such as bash, when running on Unix/Linux agents.
- However, on a Windows agent, it will use Windows PowerShell (powershell.exe) by default. Jenkins tries to provide a consistent experience across different agents, and PowerShell is more versatile and cross-platform than cmd.exe.

Therefore, I will first set it up with the commands above to confirm the code execution Saving

The project is configured and all set for build

Initial Fail

Since I have selected the Trigger builds remotely option with the trigger URL, I will trigger the initial build

Refreshing the project page now shows the new build entry However, the build seems to have failed

I will check the Console Output

Debug

There is a lot of information within the console output

The Jenkins instance is running with privileges of the SYSTEM account
Building is taking place under the home directory of the oliver user
- This may suggest that the build process is started by the oliver user
The error itself is due to the program not being able to find the sh binary
- This is rather contradictory to the official Documentation of Jenkins
  - Likely due to the target instance being older; Jenkins 2.317

Success

Due to the build failure above, I would need to modify the project to change the Build option to “Execute Windows batch command”

Triggering the Build

There is the #2 Build that appears to have succeeded

Checking the Console Output confirms OS command execution, indicating the potential for establishing a dedicated shell or PowerShell session using a reverse shell. However, there is a hidden caveat

Interactive Graph View

Creating A Malicious Project
Initial Fail
Debug
Success

Backlinks

Object_Firewall
Object_Web_8080
Object_Jenkins_Secret
Object

Share your thoughts