Breach the Build: Exploiting Jenkins (CVE-2024–23897)

iCSI Security Operations Center Classroom @ NEISD. (San Antonio, TX)

Lab sheet with VM Download linked below.

Topics Covered:

Understanding CI/CD: Participants will start with the basics, learning what Jenkins is and its role in automating aspects of software development through continuous integration/continuous deployment (CI/CD), a fundamental concept for Security+ certification.File Descriptors: The lab introduces file descriptors, focusing on STDOUT and STDERR, teaching participants how to manipulate these streams. This knowledge is crucial for effectively managing output during penetration testing.Output Suppression and Redirection: Building on file descriptors, participants will practice suppressing and redirecting output based on the file descriptor involved, a vital skill in the toolkit of any aspiring penetration tester.Jenkins Credentials: The activity targets Jenkins deployments, guiding participants on how to locate stored user and password information.Password Cracking with Hashcat: Participants extract credentials and use Hashcat to crack them.Reverse Shell Testing: A highlight of the lab, this section challenges participants to use Jenkins’ built-in Groovy script console to establish a reverse shell, engaging in a process of very typical trial and error to achieve remote command execution.Privilege Escalation: Once shell access is secured, participants will identify and exploit a binary with the SUID bit set for privilege escalation, learning about the significance of the SUID bit and its role in Unix-like operating systems.

VM with Download can be found here: