来源

关联漏洞

描述

In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server.

介绍

Exploiting CVE-2024-27198-RCE Vulnerability

In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server. The vulnerability allows uploading and activating a malicious plugin that provides access to the remote system via a webshell, granting the ability to execute commands and retrieve data from the server.

Steps Taken:
Preparing for the Attack:
I began by identifying the target server, which was accessible at http://10.10.217.209:50000. I then used the CVE-2024-27198-RCE.py script to exploit the vulnerability on the server.

Uploading the Malicious Plugin:
During the exploitation process, the script automatically uploaded a malicious plugin to the server, which was successfully activated. The webshell that allowed access to the server was available at:
http://10.10.217.209:50000/plugins/zHXm20lm/zHXm20lm.jsp.

Executing Commands on the Server:
Through the webshell, I executed various commands on the server, such as:

whoami — showed the current user on the server (ubuntu).
ls — listed files in the directory.
cat /home/ubuntu/flag.txt — opened the flag file that I needed to find.
Retrieving the Flag:
By executing the cat /home/ubuntu/flag.txt command, I was able to retrieve the flag:
THM{faa9bac345709b6620a6200b484c7594}.

Tools Used:
Python 3: For running the exploit script.
CVE-2024-27198-RCE.py: The main exploit that uses the vulnerability to upload the plugin.
Webshell: The ofbehinder3.0 plugin, which provided remote access to the server and allowed command execution.
Target Server: TeamCity, where the vulnerability was found.
Risks and Conclusion:
By exploiting this vulnerability, I gained access to the server and was able to retrieve critical information. This attack highlights the significant risks to TeamCity servers that have not been updated in a timely manner. I recommend always keeping software versions up to date and installing necessary security patches.

Screenshots:
Running the exploit script:

Uploading the plugin:

Executing commands via the webshell:

Retrieving the flag

文件快照

 [4.0K]  /data/pocs/fa55efd1f7a207f5678f1163a34830786e8e95d2
├── [176K]  1.jpeg
├── [188K]  2.jpeg
├── [ 97K]  3.jpeg
├── [252K]  4.jpeg
├── [124K]  5.jpeg
├── [190K]  6.jpeg
├── [111K]  7.jpeg
├── [ 99K]  8.jpeg
└── [2.1K]  README.md

0 directories, 9 files

备注