When scanning the machine, we get the following results
Nmap scan report for 10.129.96.74 Host is up (0.036s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Mega Engines 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 8080/tcp open http Jetty 9.4.43.v20210629 | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Jetty(9.4.43.v20210629) |_http-title: Site doesn't have a title (text/html;charset=utf-8). Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 109.79 seconds
When looking at port 8080, we find a Jenkins with an open registration form. When registering there, we can create a new project via New Item -> Freestyle Project.
After Job creation, we can add a build step named
Execute Windows batch command. With this we can execute single commands on the host system as the Jenkins is configured to run jobs as
To trigger running of the job, we have to enable
Trigger build remotely. Therefore, we add an authentication token to trigger a single build. We set the token to
token, so our URL is
The output of the job script can be read via the Jenkins web ui. Via the output we are able to find the file
C:\, which contains the flag.
Our full batch job script is:
whoami dir C:\ dir C:\Users dir C:\Users\oliver dir C:\Users\oliver\Desktop dir C:\Users\oliver\Documents more dir C:\Users\oliver\Desktop\user.txt
By modifying the config file of Jenkins, it is also possible to get full administration access to the Jenkins platform. To achieve that, we have to modify the
config.xml in the Jenkins configuration directory, which is available in the variable
JENKINS_HOME by setting the value
false. To apply these settings we have to restart Jenkins, which can be done by calling restart to
jenkins.exe. Afterwards, the user created by us is essentially an admin user on Jenkins.
With that said, we are also able to execute Groovy scripts without invoking a job. Unfortunately as the machine blocks all outgoing network connections, we were not able to fetch any data from external sources or establish an reverse shell.