Today I wanna talk about one of my recent finding on HackerOne’s private program. It was a simple RCE on publicly accessible Jenkin. So let’s get started.
I was invited to hunt a private program on HackerOne which had the large scope as *.program.com. I started with basic recon and I got some IPs on which Jenkin instance was available using a script. All thanks to Armaan Pathan (SuperMan :D) for this awesome script
I browsed the IP and It had publicly available sign up functionality. So i registered myself as their user and my account got successfully activated.
Next thing was to check /script (script console which allows to execute our command) was enabled or having any authentication. But I was not lucky this time :/ I got some weird error while executing “/etc/passwd” in script console.
But wait a min, I had “manage jenkins” option available :) Without wasting time, I just installed “Terminal” plugin to Jenkins which is basically allows to execute OS command.
All was good and I got the terminal plugin installed through which I can execute commands.
I got RCE :D
The bounty amount was a bit high (even I was also shocked) as that was their main domain IP.