On-Premise-02: Exploiting Jenkins Args4j

Challenge Description: Secure Corp uses an automation server to manage their continuous integration and deployment pipeline. During a security review, you notice an unusual behavior in how the server processes certain command-line arguments. There’s a feature that allows an attacker to gain access to arbitrary files on the system’s file system without proper authentication. Your task is to exploit this weakness and uncover sensitive files.

• Downloaded the jenkins jar file,

• Args4j vuln found (CVE-2024-23897) , arbitrary file reading

Jenkins allowed public registration, so i registered new user at jenkins to use groovy

Identified interesting files: - found secret.key at /var/jenkins_home/secret.key

• at /var/jenkins_home/flag.txt - (decoy)

• identity.key.enc

• in the challenge desc, its mentioned as flag log, so i made a groovy script to search the string “flag” in the whole system

• Found file named flag.log

Found the flag at /var/logs/flag.log

Flag = CWL{J3nK1ns_Th3_AuT0m@t10n_M@$t3r}