Pennyworth – Linux
- justinblawitz
- Oct 14, 2025
- 3 min read
Ping and Nmap the target Ip using sudo nmap -sC -sV {target Ip}
We find port 8080/tcp open running Jetty version 9.4.39.v20210325. Since it is an http server, we’ll search the target Ip in our browser, but we’re given an error. This error is because we need to specify which port the service is running on as it isn’t running on port 80, to do this we’ll search http://{target Ip}:8080/ where we got the port number from the Nmap scan.
We find a login page for a service called Jenkins, which is a free and open-source automation server. It helps automate the aspects of software development relating to building, testing, and deploying software. To gain access to this page, we’ll search for common weak credential pairs hoping for a misconfiguration, in this case the username: root, and password: password, gains us access.
The type of vulnerability this machine focuses on is an Arbitrary Remote Command Execution vulnerability, which allows attackers to execute arbitrary commands or code on a target machine or process over a network.
The first step would be to search the Jenkins version displayed at the bottom right of the page to look for any known attack methods. Unfortunately for us, the current version is reported as secure. But, we do stumble across a couple repositories explaining how to gain RCE (remote code execution) in Jenkins which will be a great resource (https://github.com/gquere/pwn_jenkins, https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76). These links mention the Jenkins Script Console which we can find by entering Manage Jenkins in the left menu, then Script Console.
Here we will be able to a “Groovy Script” which is a program written in Groovy, a language that runs on the Java Virtual Machine and functions similarly to Java but is more concise and adds features for scripting languages. But it only executes certain commands meant for trouble shooting and diagnostics, so we’ll need to use a payload to execute a reverse shell connection.
A reverse shell connection is when the target machine initializes a connection request back to us, or our attacking VM. The main reason we use reverse shell connections is their simplicity to implement, and better chance at avoiding firewalls.
We can use a payload we found in the second git repository we stumbled across earlier; we’ll also need our VMs Ip which we can find using ip a | grep tun0 or ifconfig and enter into the script.
Before we run the command in the Jenkins Console, we’ll want to start Netcat (abbreviated as nc) which is a networking utility for reading from and writing to network connections using TCP or UDP. We can use nc -h to open a help menu for a list of commands and flags if we want.
In this case we’ll use nc -lvnp 4445, where -l is listening mode, -v displays status messages in more detail, -n uses numeric only Ip addresses, and -p specifies the port for listening.
After we enter this command, Netcat will start listening and we’ll run the Groovy script in the Jenkins console and Jenkins will send a connection request to our attacking VM.
After the connection is set up, we can run commands on the Jenkins server and determine we have the highest level of privilege with commands like whoami. We can then enter the root directory and use ls and cat flag.txt to read the file and capture the flag.
Comments