关联漏洞
描述
In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server.
介绍
Exploiting CVE-2024-27198-RCE Vulnerability
In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server. The vulnerability allows uploading and activating a malicious plugin that provides access to the remote system via a webshell, granting the ability to execute commands and retrieve data from the server.
Steps Taken:
Preparing for the Attack:
I began by identifying the target server, which was accessible at http://10.10.217.209:50000. I then used the CVE-2024-27198-RCE.py script to exploit the vulnerability on the server.
Uploading the Malicious Plugin:
During the exploitation process, the script automatically uploaded a malicious plugin to the server, which was successfully activated. The webshell that allowed access to the server was available at:
http://10.10.217.209:50000/plugins/zHXm20lm/zHXm20lm.jsp.
Executing Commands on the Server:
Through the webshell, I executed various commands on the server, such as:
whoami — showed the current user on the server (ubuntu).
ls — listed files in the directory.
cat /home/ubuntu/flag.txt — opened the flag file that I needed to find.
Retrieving the Flag:
By executing the cat /home/ubuntu/flag.txt command, I was able to retrieve the flag:
THM{faa9bac345709b6620a6200b484c7594}.
Tools Used:
Python 3: For running the exploit script.
CVE-2024-27198-RCE.py: The main exploit that uses the vulnerability to upload the plugin.
Webshell: The ofbehinder3.0 plugin, which provided remote access to the server and allowed command execution.
Target Server: TeamCity, where the vulnerability was found.
Risks and Conclusion:
By exploiting this vulnerability, I gained access to the server and was able to retrieve critical information. This attack highlights the significant risks to TeamCity servers that have not been updated in a timely manner. I recommend always keeping software versions up to date and installing necessary security patches.
Screenshots:
Running the exploit script:
Uploading the plugin:
Executing commands via the webshell:
Retrieving the flag
文件快照
[4.0K] /data/pocs/fa55efd1f7a207f5678f1163a34830786e8e95d2
├── [176K] 1.jpeg
├── [188K] 2.jpeg
├── [ 97K] 3.jpeg
├── [252K] 4.jpeg
├── [124K] 5.jpeg
├── [190K] 6.jpeg
├── [111K] 7.jpeg
├── [ 99K] 8.jpeg
└── [2.1K] README.md
0 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。