Some time ago I started a small project called 'enlil'. As you already know - I'm using it during pentests and redteam projects. Below you'll find few notes about the test prepared for Jenkins. Here we go...
Last week, during one of the tests I prepared another small "module" we can use to get a reverse shell on the target box.
Before we'll continue: let's (use docker or) run Bitnami's version of Jenkins:
When all is prepared and ready:
We should be somewhere here:
To continue - let's try with Bitnami's credentials:
With working credentials - we can easily continue our way to get a shell. To do that simply create a 'new project':
If you want - there are also other ways to upload a webshell. Feel free to read the other options available for your 'new projects'. ;)
For example:
At this stage - if you are not familiar with Jenkins scripting - it will be a good idea to visit this link and read a bit more about it:
I started here:
After a while you should be ready to prepare your own first script for Jenkins :) Check it out:
If all is ready - you should be somewhere here:
As this exercise is pretty simple - full code of (the very first version ;) of) the enlil's module is presented below:
Commercial version of the scanner is not publicly available so far.
Got a question for more targeted attack/pentest scenarios? Ask here.
See you next time! ;)
Brak komentarzy:
Prześlij komentarz