From Shodan to Remote Code Execution #1 – hacking Jenkins

In this era of extreme automation, whether for development, programming deployment or even security management are we getting closer to security maturity or are we better off without the automation?

In the next posts, I hope to uncover some of the tools/ applications employed on enterprises geared towards automation and better security but end up exposing and increasing surface area for attack. We start with Jenkins.

Jenkins  is an open source automation server written in Java. Jenkins helps to automate the non-human part of software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat. It supports version control tools, including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands.

It is used by several organizations globally and a quick Shodan search gives over 300,000 instances publicly accessible over the internet.


We shift focus quickly to see if there are some portal instances on port 8081 and the figure goes down..


Of these, some require credentials…..and some don’t 🙂 …some even have the Manage Jenkins option which simply means among other things we are a somewhat privileged user (eg jenkins user) and can install plugins of choice.

good dash_

Most people I know would opt to install terminal plugin..for obvious reasons..

manage plugins_


Running some commands.. :-O








2 thoughts on “From Shodan to Remote Code Execution #1 – hacking Jenkins

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: