8080, 50000 - Jenkins

Theory

Jenkins is an orchestrator during the deployment process of the source code. During a normal deployment, Jenkins will be scheduled to a daily interval (or something else) to go and check the source code repository, for example, GitHub

(so it needs credentials to be stored in Jenkins in order to log in to the repository). Next, it will compile the source code fetched from the repository and run some automated tests (e.g., unit tests, regression tests, static code analysis for security, etc.). If all the tests pass without any failures, then it deploys the source code to the development server (dedicated to developers) and the QA server (dedicated to QA analysts) as well. The web portal that manages Jenkins will be listening on HTTP port 8080 by default. Also, Jenkins will be listening on TCP port 50000; this port is used to connect a master node to one or multiple slave instances. To access the web portal, you will need valid credentials to be able to get in and make changes.

During the enumeration phase, you should be looking for two things:

• Brute‐forcing credentials

• Identify if the installed version is exploitable

Practical

Basic Nmap Scan

nmap ‐sV ‐sC ‐O ‐T5 ‐p 8080,50000 <IP>

Brute Force Jenkins Web Portal

hydra -l [username] -f -e nsr -P [Passwords file] -s [port number]
[IP address] http-post-form "[URL Path : POST Form Contents : Error
Message]"

REFERENCES

• https://pentestbook.six2dez.com/enumeration/webservices/jenkins

• https://exploit-notes.hdks.org/exploit/web/jenkins-pentesting/

• https://hacktricks.boitatech.com.br/pentesting/pentesting-web/jenkins

• https://www.jenkins.io/doc/