Runner — HackTheBox
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80 (HTTP)
Browsing the URL, we get the following page. It is a CI/CD solutions provider website. There’s nothing much and it’s is static page.
Port 8000 (Nagios)
On port 8000, we get a 404 not found
Running the dirsearch, following two endpoints are found. But checking them doesn’t yield anything useful.
Subdomain (teamcity.runner.htb)
After heavy enumeration, we find a subdomain. Add it in the /etc/hosts file.
ffuf -w /usr/share/seclists/Discovery/DNS/bug-bounty-program-subdomains-trickest-inventory.txt -u http://runner.htb/ -H "Host: FUZZ.runner.htb" -ac -c
Opening in browser, we get the following login page. It also tells the build version of teamcity which seems to be outdated.
Searching for exploit, it is found to be vulnerable to CVE-2023–42793. This is authentication bypass vulnerability leading to RCE.
A POC is available in metasploit. But, i did not wanted to use that so i wrote my own python script to get a reverse shell. Here’s the link to my POC:
Privilege Escalation (john)
Looking into the files we can confirm that it’s a container. Enumerating the filesystem, we find a private SSH key at /data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys. But we don’t know which user it belongs to.
Trying the tcuser, it asks for password.
Further enumerating, we find two usernames and hashes in the logs and database files. At /data/teamcity_server/datadir/system/buildserver.log , we find the following:
And in the /data/teamcity_server/datadir/system/buildserver.data file, we find the following:
Trying to crack the hashes, we only get password for matthew user.
hashcat hashes /usr/share/wordlists/rockyou.txt --user -m 3200
These credentials does not work on the SSH. However, using the private key that we found earlier, we can get logged in as john
Privilege Escalation (root)
Checking open ports, some are opened internally.
On port 9000, we find that portainer is running
Also we can confirm that portainer is available on the system
Let’s forward this port onto our host using SSH
ssh -L 9000:127.0.0.1:9000 -i id_rsa john@runner.htb
Now opening the port in browser, we get a login page for portainer.
Portainer is a container management software to deploy, troubleshoot, and secure applications across cloud, datacenter, and Industrial IoT use cases.
Trying the credentials of matthew user that we cracked earlier, we get logged in.
Checking the images list, we have two image available.
Having access to this equivalent to being in the docker group. We mount the host filesytem and start a new container. To do this in portainer, first we need to create a new volume that for the host filesytem.
The portainer documentation was not helpful in this scenario but i found the following stack overflow query that solved our problem.
So, i create a volume with the following options
Next step is to mount this volume in a container and get a shell in it. Here, we create a container using the ubuntu image that we saw was available.
Next, select the interactive tty shell option get a console in the container.
In the volumes, we mount the volume that we create earlier, in the container.
When container starts, get shell in it and get the root flag from the mount path.
Further, we can drop our SSH key in the root users home directory and get shell as root.
Thanks for reading!
