Port enumeration

With nmap, I found a Jetty instance in 8080. 063e13d2f27e384689b3c26ee752af78.png

Web enumeration

Here, I found the Jenkins logpage. 3dca75c3626564475f343caf11af58d2.png

Bruteforce

Using Caido, I bruteforced the password until I found the credentials, been root:password. ba16e4b1f0c4f1164a0ac740a3598487.png

Jenkins exploitation

With this credentials, I was able to enter in the jenkings dashboard. 0c92cdd145625851aa073fb35e98e65f.png Here, I found who I am able to execute Groovy scripts. 6a19b7e086cf317bc879bfee01cbae3f.png So, with this, I execute a reverse shell with the Script Console. 8d9f5ae0ef8294038dd267abdc501103.png 059b5248882b78bd2392d87076812abf.png 812538f2a690b5198ef8978327eb88f9.png Here, I just need to read the flag. 8b5136e65f1062f054f451f011f2ce8e.png