Possibly Related Threads…

trevor69000 · Apr 20, 2024, 07:01 PM

https://app.hackthebox.com/machines/598
All the best everyone

kimera · Apr 20, 2024, 07:07 PM

Let the game begin...

trevor69000 · Apr 20, 2024, 07:24 PM

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

willow · (This post was last modified: Apr 20, 2024, 08:09 PM by willow.)

raft-medium-directories on port 8000:

200 GET 1l 1w 3c http://10.10.11.13:8000/health
200 GET 1l 1w 9c http://10.10.11.13:8000/version
[####################] - 24s 30014/30014 0s found:2 errors:0
[####################] - 24s 30002/30002 1253/s http://10.10.11.13:8000/

custom wordlist + vhost scan found teamcity.runner.htb

trevor69000 · Apr 20, 2024, 08:18 PM

https://github.com/H454NSec/CVE-2023-42793

[~/runner/CVE-2023-42793]
└─$ python3 CVE-2023-42793.py -u http://teamcity.runner.htb
[+] http://teamcity.runner.htb/login.html ..............

jsvensson · Apr 20, 2024, 09:05 PM

In meterpreter:
exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198

willow · Apr 20, 2024, 09:06 PM

Doing it manually is a pain in the ass, make sure that on the build configuration page your build type is composite, NOT regular. Otherwise it'll yell at you about agents or something.

jsvensson · Apr 20, 2024, 10:18 PM

(Apr 20, 2024, 10:02 PM)iNone Wrote:
(Apr 20, 2024, 09:05 PM)jsvensson Wrote: In meterpreter:
exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198

this isn't the way

it is the way as i found /data/teamcity_server/datadir/config/projects/AllProjects/pluginData/ssh_keys/id_rsa in this docker
for user john Tongue

meoami · Apr 20, 2024, 10:43 PM

any hints for priv? i got the container

KattRulez · (This post was last modified: Apr 20, 2024, 11:17 PM by KattRulez.)

Too easy for a medium rated machine

(Apr 20, 2024, 10:43 PM)meoami Wrote: any hints for priv? i got the container

Investigate about volumes in portainer, hope it helps
https://docs.portainer.io/user/docker/volumes/add

Sysc4ll3r Wrote:Hello , did you found a way to esclate from john user? can you give me any hint ?

I post it here so everyone can know.

Look a way to dump the database of TeamCity and search for passwords

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	376	93,838	4 hours ago Last Post: Sukon
	[FREE] CPTS • CWES • CDSA • CWEE Exam Hint	3midjets	233	32,394	4 hours ago Last Post: Sukon
	[FREE] CPTS 12 FLAGS	pulsebreaker	74	2,397	5 hours ago Last Post: Sukon
	[MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot	htb-bot	89	8,130	10 hours ago Last Post: Xploitd
	[FREE] HackTheBox All Cheatsheets	Tamarisk	10	638	Yesterday, 03:44 PM Last Post: chufoni