Exploiting Jenkins with pwn_jenkins
Jenkins is a widely used automation server that can sometimes be misconfigured or left exposed, leading to potential security vulnerabilities. The pwn_jenkins
project provides a powerful Python script to exploit such scenarios by leveraging the Jenkins script console.
About pwn_jenkins
The pwn_jenkins
tool is designed to exploit Jenkins Script Console on a Jenkins instance where you're already authenticated and the script console is accessible. It provides the ability to:
- Upload a JSP webshell
- Interact with the shell to run commands
- Retrieve the output of commands from the compromised Jenkins server
GitHub Repository: https://github.com/gquere/pwn_jenkins
How it Works
The script uses Jenkinsโ /script
endpoint to upload a JSP webshell by leveraging Groovy code execution. Once the webshell is deployed, the script can be used to send system commands and retrieve outputs through the web interface.
Webshell Mechanism
- The webshell uses a parameter (
cmd
) to execute system commands.
- Jenkins stores the output of these commands in a specific file.
- A second request retrieves the output of the command from that file.
This two-step mechanism ensures reliable command execution and response retrieval.
Usage
Requirements
- Python 3.x
requests
module (pip install requests
)
- Valid Jenkins credentials or session (e.g., cookie or basic auth)
Running the Exploit
python3 pwn_jenkins.py --url http://<jenkins-url> --user <username> --password <password>
You will then get a shell-like interface to run commands on the compromised Jenkins server.
Options
--url
: Target Jenkins URL
--user
: Jenkins username (optional if using cookie)
--password
: Jenkins password (optional if using cookie)
--cookie
: Use a session cookie for authentication
Features
- Deploys a JSP webshell on the Jenkins server
- Provides an interactive shell interface
- Simple and easy-to-use CLI
- Supports both Basic Auth and Cookie-based authentication
Limitations
- You must already have access to the Jenkins script console
- It does not provide exploitation methods to bypass authentication
Disclaimer
This tool is for educational purposes only. Usage of pwn_jenkins
for attacking targets without prior mutual consent is illegal and unethical.
Author
Developed by Guillaume Quere
GitHub Repo: https://github.com/gquere/pwn_jenkins