What could possibly be better than Finding a P2 in two minutes with Shodan.io?
Easy answer: higher severity, less time!
As usual, I was looking for random servers on Shodan, owned by a company which had a bug bounty program that I was targeting.
After a while I came across a few Jenkins instances which were in-scope.
The first one was pretty boring, it seemed up-to-date and there were no public exploits that could have been useful.
The second instance, though, was much more interesting.
Although it was up-to-date as well, just like the previous one, there was a link to create new accounts in the login screen.
It looked like this:
At this point I tried to sign up and it worked flawlessly.
After logging in, I was able to see everything: usernames, build history and so on.
I could have reported this finding by now, but since in Jenkins there’s an easy way to run commands on the server I had to try it!
To do that, I went to jenkins-subdomain.redacted.com/script.
Here there was a console where I could write commands and execute them:
In the picture above you can see the output of the ls command (“ls /”.execute().text), which returned as output the folders in the server’s root directory. RCE!
Lessons learned
You may be wondering how a company running a bug bounty program could let a Jenkins instance misconfigured in such a bad way.
In this case, I believe that the developer who installed Jenkins thought that running it on a non-standard port was enough to hide it from the whole internet.
Unfortunately for him, search engines like Shodan have proved that’s a faulty assumption which should never be made: security by obscurity never worked, and never will.
Thank you for reading, for more writeups and infosec-related news you can follow me on Twitter (@sw33tLie).
