POC详情: fa55efd1f7a207f5678f1163a34830786e8e95d2

来源
关联漏洞
标题: JetBrains TeamCity 安全漏洞 (CVE-2024-27198)
描述:JetBrains TeamCity是捷克JetBrains公司的一套分布式构建管理和持续集成工具。该工具提供持续单元测试、代码质量分析和构建问题分析报告等功能。 JetBrains TeamCity 2023.11.4之前版本存在安全漏洞,该漏洞源于存在身份验证绕过漏洞。
描述
In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server.
介绍
Exploiting CVE-2024-27198-RCE Vulnerability

In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server. The vulnerability allows uploading and activating a malicious plugin that provides access to the remote system via a webshell, granting the ability to execute commands and retrieve data from the server.

Steps Taken:
Preparing for the Attack:
I began by identifying the target server, which was accessible at http://10.10.217.209:50000. I then used the CVE-2024-27198-RCE.py script to exploit the vulnerability on the server.

Uploading the Malicious Plugin:
During the exploitation process, the script automatically uploaded a malicious plugin to the server, which was successfully activated. The webshell that allowed access to the server was available at:
http://10.10.217.209:50000/plugins/zHXm20lm/zHXm20lm.jsp.

Executing Commands on the Server:
Through the webshell, I executed various commands on the server, such as:

whoami — showed the current user on the server (ubuntu).
ls — listed files in the directory.
cat /home/ubuntu/flag.txt — opened the flag file that I needed to find.
Retrieving the Flag:
By executing the cat /home/ubuntu/flag.txt command, I was able to retrieve the flag:
THM{faa9bac345709b6620a6200b484c7594}.

Tools Used:
Python 3: For running the exploit script.
CVE-2024-27198-RCE.py: The main exploit that uses the vulnerability to upload the plugin.
Webshell: The ofbehinder3.0 plugin, which provided remote access to the server and allowed command execution.
Target Server: TeamCity, where the vulnerability was found.
Risks and Conclusion:
By exploiting this vulnerability, I gained access to the server and was able to retrieve critical information. This attack highlights the significant risks to TeamCity servers that have not been updated in a timely manner. I recommend always keeping software versions up to date and installing necessary security patches.

Screenshots:
Running the exploit script:

Uploading the plugin:

Executing commands via the webshell:

Retrieving the flag
文件快照

[4.0K] /data/pocs/fa55efd1f7a207f5678f1163a34830786e8e95d2 ├── [176K] 1.jpeg ├── [188K] 2.jpeg ├── [ 97K] 3.jpeg ├── [252K] 4.jpeg ├── [124K] 5.jpeg ├── [190K] 6.jpeg ├── [111K] 7.jpeg ├── [ 99K] 8.jpeg └── [2.1K] README.md 0 directories, 9 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。