Enumeration
Starting off with a nmap scan nmap -p- -T4 10.10.4.66.
We can do a more deep scan for the open ports
nmap -sC -sV -p 22,80,35829,50000 -T4 10.10.4.66I have restarted the session, hence the change in the attacking IP
We get a message when we navigate to http://10.10.239.23 . Even when viewing the source of this page, we find nothing useful.
Checking http://10.10.239.23:50000/we have a login page
On searching on google, TeamCity is a continuous integration server developed by JetBrains (ummm…..hence the room name).
- On the login page, we also get the version of this, and this version is vulnerable to authentication bypass allowing to perform admin actions (CVE-2024–27198).
Exploitation
- Searching in
msfconsoleThere is a exploit available
- Once we choose the exploit, these are the default options
- We have to set the following options and run the exploit
# setting RHOST and RPORT as attacking machine IP and PORT
set RHOSTS 10.10.239.23
set RPORT 50000
We get a shell! And the user flag
1. What is the content of flag.txt in the user’s home folder?
THM{faa9bac345709b6620a6200b484c7594}
Proceeding with Task 2
1. What is the name of the backdoor user which was created on the server after exploitation?
eviluser
As we have to search for the user that was added, we can search for useradd in splunk and we find a suspicious name.
2. What is the name of the malicious-looking package installed on the server?
datacollector
We know from our previous search that the date the user was added was 07/04/2024. So, filtering our search for installing on that date we get the package name.
3. What is the name of the plugin installed on the server after successful exploitation?
AyzzbuXY.zip
Now searching for plugin on the same date range, we find out the plugin that was installed after exploitation.
Give this a 👏 if you found it useful! Thank you.
