update to run dynamic port and on a user

modules/vulnerabilities/unix/http/jenkins_cli/manifests/configure.pp

@@ -2,20 +2,28 @@
 # Configuration and extras for Jenkins cli
 #
 class jenkins_cli::configure {
-  $leaked_filenames = ['flagtest'] ##$secgen_parameters['leaked_filenames']
-  $strings_to_leak = ['this is a list of strings that are secrets / flags','another secret'] ##$secgen_parameters['strings_to_leak']
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
 
   Exec { path => ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin'] }
 
-  $user = 'yong'#$secgen_parameters['leaked_username'][0]
+  $user = $secgen_parameters['leaked_username'][0]
   $user_home = "/home/${user}"
 
+  # Create user
+  user { $user:
+    ensure     => present,
+    home       => $user_home,
+    managehome => true,
+  }
+
   ::secgen_functions::leak_files { 'jenkins-flag-leak':
     storage_directory => $user_home,
     leaked_filenames  => $leaked_filenames,
     strings_to_leak   => $strings_to_leak,
-    owner             => 'root',
-    mode              => '0750',
+    owner             => $user,
+    mode              => '0644',
     leaked_from       => 'jenkins_cli',
   }
 }

modules/vulnerabilities/unix/http/jenkins_cli/manifests/install.pp

@@ -3,6 +3,11 @@
 # https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md
 class jenkins_cli::install {
   Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = $secgen_parameters['leaked_username'][0]
+  $port = $secgen_parameters['port'][0]
+
   $modulename = 'jenkins_cli'
   $releasename = 'jenkins.war'
   $splits = ["${releasename}.partaa",
@@ -33,9 +38,9 @@ class jenkins_cli::install {
     command => "cat ${releasename}.parta* >/usr/local/bin/${releasename}",
   }
   -> file { '/etc/systemd/system/jenkins.service':
-    source => 'puppet:///modules/jenkins_cli/jenkins.service',
-    owner  => 'root',
-    mode   => '0777',
+    content => template("${modulename}/jenkins.service.erb"),
+    owner   => 'root',
+    mode    => '0755',
   }
   -> service { 'jenkins':
     ensure => running,

modules/vulnerabilities/unix/http/jenkins_cli/secgen_metadata.xml

@@ -27,37 +27,31 @@
   <read_fact>leaked_filenames</read_fact>
 
   <default_input into="port">
-    <value>8080</value>
+    <generator module_path=".*/random_unregistered_port" />
   </default_input>
 
-  <!-- flags or other secrets exposed after exploitation -->
   <default_input into="strings_to_leak">
-    <generator type="message_generator" />
+    <generator type="flag_generator" />
   </default_input>
 
   <default_input into="leaked_filenames">
-    <generator type="filename_generator" />
+    <value>flag</value>
+  </default_input>
+
+  <default_input into="leaked_username">
+    <generator type="username_generator" />
   </default_input>
 
   <!--optional
   vulnerability details-->
   <cve>CVE-2017-1000353</cve>
   <cvss_base_score>9.8</cvss_base_score>
-  <cvss_vector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</cvss_vector>
-  <software_name>Jenkins</software_name>
-  <software_license>MIT</software_license>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
   <reference>
     https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/jenkins_cli_deserialization.rb</reference>
   <reference>
     https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/jenkins_cli_deserialization.md</reference>
-
-  <!--optional
-  hints-->
-  <hint>Navigate to IP:8080</hint>
-  <hint>Check Metasploit DB</hint>
-
-  <requires>
-    <module_path>openjdk-8</module_path>
-  </requires>
+  <software_name>Jenkins</software_name>
+  <software_license>MIT</software_license>
 
 </vulnerability>

modules/vulnerabilities/unix/http/jenkins_cli/templates/jenkins.service.erb

@@ -4,8 +4,8 @@ After=network.target
 
 [Service]
 Type=simple
-User=root
-ExecStart=/bin/sh -c "java -Djenkins.install.runSetupWizard=false -jar /usr/local/bin/jenkins.war"
+User=<%= @leaked_username %>
+ExecStart=/bin/sh -c "java -Djenkins.install.runSetupWizard=false -jar /usr/local/bin/jenkins.war --httpPort=<% @port %>"
 Restart=on-abort
 RestartSec=1