From nmap, there are http, rpc, and samba services opened.

Local Picture

This is the web page at 80 port. There is an error whatever we search. But actually, the error message is just an image.

Local Picture

Local Picture

Local Picture

This is the web page at port 5000. With gobuster, I found a directory /askjeeves.

Local Picture

Local Picture

It is running Jenkins, and there is a computer to access. In the script console, I can execute Groovy script on the server.

Local Picture

Local Picture

Local Picture

Local Picture

Local Picture

I tried to run the powershell script to invoke a reverse shell, and it worked.

Local Picture

Local Picture

The SeImpersonatePrivilege is enabled, it may be vulnerable to Rotten Potato. I ran Juicy Potato to invoke the process run.bat, which is a reverse shell script.

Local Picture

I got a reverse shell as nt authority\system, however, root.txt is not there. It’s in the file’s data stream. I can execute cat hm.txt -Stream root.txt to get the flag.

Local Picture