With nmap, I found a Jetty instance in 8080.

Here, I found the Jenkins logpage.

Using Caido, I bruteforced the password until I found the credentials, been root:password.

With this credentials, I was able to enter in the jenkings dashboard.
Here, I found who I am able to execute Groovy scripts.
So, with this, I execute a reverse shell with the Script Console.
Here, I just need to read the flag.
