Foothold
1. nmap the target to find open port that hosts website
2. fluff to scan vhost to find dev.builder.htb
3. use LFI to exploit vulnerable Jenkins version
4. LFI users.xml and /<user>/config.xml
5. hashcat to crack password
2. fluff to scan vhost to find dev.builder.htb
3. use LFI to exploit vulnerable Jenkins version
4. LFI users.xml and /<user>/config.xml
5. hashcat to crack password
PrivEsc
1.
1.
Once logged in as a user, LFI to get root password from /var/jenkins_home/credentials.xml
2. Create a groovy script to decrypt the SSH key for root user
3. Login as root
2. Create a groovy script to decrypt the SSH key for root user
3. Login as root