How I found misconfigured Jenkins instances of different organizations
Here the story goes. One fine day I was looking for an open Jenkins instance online using google dorks intitle:”Dashboard [Jenkins]” Credentials and found many open Jenkins instance dashboards that don’t require any authentication. And started going through each one of the results from a search and found some of the instances were dummy instances that are created to try out Jenkins pipelines and started looking for some interesting and juicy information in the builds console output and no luck in here.
Here comes the next part of the story which is interesting. After digging into all the open Jenkins instances from google dork search results. Google dorks will not provide all the results, it can only provide results from the surface web. Then I started looking for hidden Jenkins instances using Shodan. Here is a little about shodan.
Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client.
And one interesting thing is shodan also has dorks to filter out the results. Here is the list of shodan-dorks. And it provides results for open webcams, IP cams, ICS, SCADA, Printers, HomeDevices, IoT devices, Unsecured routers, etc. In simple words, it’s a search engine for IoT devices.
I have used this query x-jenkins 200 to find out the open Jenkins Instances from shodan search engine. And found there are many open Jenkins instances that are incorrectly configured. And started digging into each of the results. And checking the console outputs of the builds. And finally, I found one of the Jenkins instances that belong to [XYZ] organization which requires authentication. And provided an option signin with GitHub and I tried signing in with my GitHub account and Voila!!! I have successfully logged in to the Jenkins instance with my GitHub account. And started looking into the builds and console outputs and still I need to find whether this instance belongs to [XYZ] organization or not. And then I selected the people option to see the list of users who have access to the Jenkins instance and found there were more than 50 members from the organization who have access to the instance.
And started digging into the console outputs of the builds. And I was able to trigger the builds from Jenkins dashboard set params and edit configurations.
And I started looking for users online using some OSINT techniques and found that users belong to the [XYZ] organization. And then reported this to [XYZ] organization and received appreciation.
Here are the tips to access the protected jenkins instances.
- Use of default credentials
- If it provides 3rd party login like sign-in with GitHub, etc. Try logging in with those accounts.
My findings using Shodan
Here is the glance of open jenkins instances that are publicly accessible.
There are ways to exploit the open Jenkins instance.
- Getting access to secrets and keys from console output.
- Getting keys from Jenkins configuration and access to private repositories.
- RCE from terminal plugin in Jenkins dashboard.
H1 reports on misconfigured or publicly accessible Jenkins instances
Snapchat disclosed on HackerOne: Open prod Jenkins instance
@preben_ve found a Jenkins instance where they could login with any valid Google account. Once logged in, they gained…
Snapchat disclosed on HackerOne: RCE/LFI on test Jenkins instance...
@nahamsec found a test Jenkins instance where they could login with any valid Google account. Once logged in, they…
Ubiquiti Inc. disclosed on HackerOne: Public Jenkins instance with...
Ubiquiti exposed a Jenkins server on the internet without any authentication, this allowed me to reach the AWS metadata…
Udemy disclosed on HackerOne: Completed Compromise & Source Code...
I discovered a critical information disclosure bug via an exposed Jenkins dashboard located at…
U.S. Dept Of Defense disclosed on HackerOne: Public instance of...
Summary:** An Amazon instance was found on https://█████/ running Jenkins. On analysing the SSL certificate, I reported…
Thanks for reading