JuniorDev

Nmap Scan

The web service running on port 30609 happens to be Jenkins, we are greeted by a login page but since we don't have credentials, we can try bruteforcing.

We are successfully able to bruteforce the login with Hydra while using the username admin and rockyou.txt as the password file

To get a reverse shell, we can edit one of the projects or create a new one, edit the buid to run the reverse shell payload and set up a listener on out attack machine.

Used find to see any flag lying around

We are currently user Jenkins but there is user Juniordev on the machine, as seen below, the user has a .ssh folder but while it's impossible to  'ls' it's content, we are able to 'cat' the private key

SSH in with the acquired private key

With Linpeas.sh we can see a service running on port 8080 on the locat host. the service is also being running by root as seen with pspy

To reach the service on our machine, we create an SSH Tunnel.

The app is a simple addition calculator created with python, this might be susceptible to Python code injection, and it actually is, see more here.

Put the exploit in one of the input parameters. set up appropriate listener... and we are root.