How I got hall of fame in two fortune 500 companies — An RCE story…

After doing some recon from the target company’s IPs using shodan, I narrowed my attack vector to focus on exploiting some jenkins applications which did not seem to need credentials.Using the shodan dork below, I was able to get a list of unrestricted jenkins instances

Shodan dork for jenkins instances on port 8081 (Web GUI)

From the original target list I had, I was able to enumerate a few candidates for exploitation.I could see the unrestricted instances, where one could get the code that was being pushed by the company’s development team and one could also change the configuration. This could be enough to report and get bounty — due to lack of confidentiality. But, as they say..try harder!

From experience I have come to appreciate that the objective in bug bounty is to simulate a bigger impact as long as you are within the program’s bug bounty guidelines.

On closer inspection, some nodes had the jenkin instance with the ‘manage jenkins’ configuration option. I was fortunate enough to find 2 hosts with this configuration option.

ManageJenkins config option

I chose to install the terminal plugin on both and hence could exhibit that remote code execution was possible!

I quickly sent in my responsible disclosure email, and I got quick response; bounty and HoF followed :-)

A couple of weeks later, I replicated the same issue on another fortune 500 company — another one!

Further reading:

Twitter: Alfie