Good evening friends. Welcome back to Kanishkashowto. Today we will see how to hack remote PC with Jenkins CLI RMI Java Deserialization exploit. It exploits a vulnerability in Jenkins. If you don’t know what Jenkins is, it is “an award-winning, cross-platform, continuous integration and continuous delivery application that increases your productivity. You can use Jenkins to build and test your software projects continuously making it easier for developers to integrate changes to the project, and making it easier for users to obtain a fresh build. It also allows you to continuously deliver your software by providing powerful ways to define your build pipelines and integrating with a large number of testing and deployment technologies.” An unsafe deserialization bug exists on the Jenkins master, which allows remote arbitrary code execution. The good thing is authentication is not required to exploit this vulnerability. This exploit works on Jenkins 1.637 version. Ufff, lot of theory, now let’s get into some real stuff.
Start Metasploit and load the exploit as shown below. Type command “show options” to see what are the options required. Set the target address as shown below.
Type command “show payloads” to see the available payloads for this exploit.
Set any payload you want. I chose the above highlighted payload. Set the payload as shown below.
Ok. Run the exploit as shown below. You should get access to the remote system’s shell as shown below.
You can run any commands as shown below.