BOOK THIS SPACE FOR AD
ARTICLE ADAssalam Alaikum everyone! Welcome to another bug hunting write-up about Jenkins Remote Code Execution, which I reported four years ago on 30th August 2020. I won’t take much of your time with my introduction, which you can read in my first write-up here.
This is my third consecutive bug hunting write-up, and I have many more queued up. Don’t forget to follow me here for future updates.
I was looking for a target on HackerOne platform to hunt for vulnerabilities then I suddenly came across a domain containing the keyword ‘Jenkins’, which immediately caught my attention. let’s call it REDACTED.COM for the sake of this writeup.
Domain was something like this:
jenkins.nc.opensource.REDACTED.COM
What is Jenkins
Jenkins is an open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration, and continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat.
This was my first experience encountering a Jenkins instance. Before this, I hadn’t encountered Jenkins in my bug hunting journey or penetration testing projects. However, I was aware that bug hunters target Jenkins for vulnerabilities.
During my testing, I discovered that Jenkins has a history of vulnerabilities, many of which require authentication. I read numerous articles about Remote Code Execution on Jenkins public dashboards “without authentication”, but not a single article discussed unauthenticated RCE.
So at this point, I needed to figure out a way to authenticate to the Jenkins instance to achieve the Remote Code Execution.
At the moment, there are three possibilities:
Find leaked credentials somewhere.Exploit a known CVE to authenticate.Exploit a misconfiguration to gain authentication.Since the initial two possibilities didn’t work well, I shifted my focus to finding another approach.
After searching through numerous articles, HackerOne reports, and blogs, I…