Story of my Biggest Bounty ever : Command Execution on Jenkin

Jay Jani
Jay Jani
Jul 11, 2019 · 3 min read

Hello friends,

Today I wanna talk about one of my recent finding on HackerOne’s private program. It was a simple RCE on publicly accessible Jenkin. So let’s get started.

I was invited to hunt a private program on HackerOne which had the large scope as *.program.com. I started with basic recon and I got some IPs on which Jenkin instance was available using a script. All thanks to Armaan Pathan (SuperMan :D) for this awesome script

Image for post
Image for post

I browsed the IP and It had publicly available sign up functionality. So i registered myself as their user and my account got successfully activated.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Next thing was to check /script (script console which allows to execute our command) was enabled or having any authentication. But I was not lucky this time :/ I got some weird error while executing “/etc/passwd” in script console.

Image for post
Image for post

But wait a min, I had “manage jenkins” option available :) Without wasting time, I just installed “Terminal” plugin to Jenkins which is basically allows to execute OS command.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

All was good and I got the terminal plugin installed through which I can execute commands.

Image for post
Image for post

I got RCE :D

Image for post
Image for post

The bounty amount was a bit high (even I was also shocked) as that was their main domain IP.

Image for post
Image for post

Reference:
#BugBounty — From finding Jenkins instance to Command Execution.Secure your Jenkins Instance! by Avinash Jain

Shodan + Jenkins to get RCEs on Servers by Uranium238

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store