Builder

10.10.11.10

Nmap

22
8080

8080

Jenkins running on , some enumeration get me to the version of jenkins which is 2.441 and quick searchsploit give me a public exploit through which i can perform LFI :-

Jenkins 2.441 - Local File InclusionExploit Database

CVE - 2024 - 23897

GitHub - godylockz/CVE-2024-23897: POC for CVE-2024-23897 Jenkins File-ReadGitHub

In this POC i found some interesting file path :-

/var/jenkins_home/users/users.xml 

/var/jenkins_home/users/<user_directory>/config.xml

/var/jenkins_home/users/users.xml

Doing LFI for this file give me xml string , which i guess is some kind of <user_directory>

<string>jennifer_12108429903186576833</string>

/var/jenkins_home/users/<user_directory>/config.xml

Doing LFI for the /var/jenkins_home/users/jennifer_12108429903186576833/config.xml gives me the hash for the specific user :-

<passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>

Cracking hash

i got password princess , which i tried for SSH but does not work.

hashcat -m 3200 hash /usr/share/wordlist/rockyou.txt 

john --format=bcrypt --wordlist=/usr/share/wordlist/rockyou.txt

PreviousSeal NextJeeves

Last updated 1 year ago

hashtagNmap

hashtag8080

hashtagCVE - 2024 - 23897

hashtag/var/jenkins_home/users/users.xml

hashtag /var/jenkins_home/users/<user_directory>/config.xml