Jenkins
JenkinsHudsonCI Server
Jenkins is a CI/CD automation server. RCE via unchecked script console, insecure Groovy script execution, and exposed credentials in build logs.
Ports
| Port | Protocol | Description |
|---|---|---|
| 8080 | tcp | Jenkins HTTP |
| 50000 | tcp | Jenkins slave agent |
Fingerprints
| Banner / Probe | Expected Response |
|---|---|
nmap -sV -p <port> <target> | Service banner and version info |
nc -nv <target> <port> | Raw banner grab |
Key Files
| Path | Description |
|---|---|
.env | Environment variables with API keys and DB creds |
config.php | Application configuration file |
wp-config.php | WordPress database credentials |
web.config | IIS configuration file |
.git/config | Git repository configuration |
robots.txt | Disallowed paths (information disclosure) |
sitemap.xml | URL structure enumeration |
Default Credentials
| Username | Password | Context |
|---|---|---|
admin | admin | Default admin account |
Known CVEs
| Identifier | Type | Description |
|---|---|---|
CVE-2024-23897 | RCE | CLI argument injection |
CVE-2018-1999002 | RCE | Groovy sandbox bypass |
Exploitation Primitives
| Technique | Tool / Command | Result |
|---|---|---|
| Script Console | http://<target>:8080/script | Groovy script RCE |
| CLI RCE | java -jar jenkins-cli.jar -s http://<target>:8080 who-am-i | CLI command execution |
Notes
Always start with full port scan: `nmap -sV -sC -p- <target>`.
Check for default credentials before brute-forcing.
Use service-specific NSE scripts: `nmap --script <service>-* -p <port> <target>`.
Remember to check both IPv4 and IPv6 if applicable.
Seen on
ShodanCensysFOFAZoomEye
References