Finding a P1 in one minute with (RCE)

What could possibly be better than Finding a P2 in two minutes with
Easy answer: higher severity, less time!

As usual, I was looking for random servers on Shodan, owned by a company which had a bug bounty program that I was targeting.
After a while I came across a few Jenkins instances which were in-scope.
The first one was pretty boring, it seemed up-to-date and there were no public exploits that could have been useful.

The second instance, though, was much more interesting.
Although it was up-to-date as well, just like the previous one, there was a link to create new accounts in the login screen.
It looked like this:

At this point I tried to sign up and it worked flawlessly.
After logging in, I was able to see everything: usernames, build history and so on.

I could have reported this finding by now, but since in Jenkins there’s an easy way to run commands on the server I had to try it!
To do that, I went to
Here there was a console where I could write commands and execute them:

In the picture above you can see the output of the ls command (“ls /”.execute().text), which returned as output the folders in the server’s root directory. RCE!

You may be wondering how a company running a bug bounty program could let a Jenkins instance misconfigured in such a bad way.
In this case, I believe that the developer who installed Jenkins thought that running it on a non-standard port was enough to hide it from the whole internet.

Unfortunately for him, search engines like Shodan have proved that’s a faulty assumption which should never be made: security by obscurity never worked, and never will.

Thank you for reading, for more writeups and infosec-related news you can follow me on Twitter (@sw33tLie).

Bug bounty hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store