HackTheBox : Runner Walkthrough

Intro: Hello Hackers. Welcome to HTB Season 5 ANOMALIES and this is the 1st Machine of the Season named Runner. Basically here we exploit some CVE, Hash Cracking, Container Vulnerability and many more things. Through it is Medium Difficulty Machine still I found it little bit Easy. So let’s jump into the Hack.

Nmap Scan :

As usual we start with a Basic Nmap Scan. I saw 3 Ports are open — 80, 22,8000. In 8000 it is running Nagios.

Web Enumeration :

So let’s visit the Website First (Port 80). First I add runner.htb in my Host file to access it from Browser.

I found nothing interesting in this Page so I moved to Port 8000. And also Here is no Luck.

I try for Gobuster but it gave nothing. So the next point is to Fuzz other Subdomains. Here I use ffuf because it fuzz Faster.

Here I got a Subdomain : teamcity. I also add it in my Host File.

after accessing the Site I saw it is Teamcity Login Page.

Note : TeamCity is a build management and continuous integration server from JetBrains

TeamCity: the Hassle-Free CI/CD Tool by JetBrains

But in the Login Page it Discloses the Version also.

Web Exploitation :

After searching a bit I found an Authentication Bypass Exploit is available on Github for this Version.

GitHub - H454NSec/CVE-2023-42793: JetBrains TeamCity Authentication Bypass CVE-2023-42793 Exploit

So I try it in my VM. It gave me the Username & Password.

After using those Creds I Logged into the Dashboard Page.

Here I found some Projects. But if you go to the Administration Page you will get something Different. Here under the Backup you will get a zip file to Download. So I download that.

After downloading I unzip it and gave me some Folder and Files. So here I also get a id_rsa Key.

So it is a Openssh Private Key. So we get a way to get into the Box but we also need a valid Username.

After searching a Bit I found all the Users that are present in the Box under User Management Section of Teamcity dashboard Page.

So I prefer to use John because he is the Admin User.

At last we get the User Access. Bingo!!!

Privilege Escalation:

So it’s time for the Privesc. I found nothing Interesting on the Box for Privesc until I found the Internal Ports that are Running.

So I try to forward all the Ports on my VM to Examine.

First I try to access the Port 9443 from my Browser.

And it is Running Portainer.

Note : Portainer is a container management software to deploy, troubleshoot, and secure applications across cloud, datacenter, and Industrial IoT use cases.

So what’s now. Now I try to find all Portainer related files & folders on the Box.

So after searching a Bit I found a Little Hint. So I try for it. We found a Zip file from Teamcity and from there we also get Some other Files. After examining I found all the User’s Hashes also in a database_dump Folder.

So I cracked the Matthew Hash with John. I have already cracked it before. It will take sometime to crack.

So I try to Login with this Cred → matthew : <pass> to the Portainer Login Panel. And I successfully Logged in.

Here under the Primary Docker Container I found many Functionalities. There are 2 Docker Images also -[ubuntu:latest, teamcity:latest]

So before going further I want to say that there is CVE on this Container called → Illustrate runC Escape Vulnerability CVE-2024–21626.

Illustrate runC Escape Vulnerability CVE-2024-21626

According to this Post we have to create container using this Path → /proc/self/fd/8

Note : According to the root cause of the vulnerability, attackers can exploit via two different ways:

Set the working directory of the container to /proc/self/fd/<fd> (where <fd> stands for the file descriptor when opening /sys/fs/cgroup in host filesystem. Usually it’s 7 or 8) when running a container.

Create a symlink for /proc/self/fd/<fd> (where <fd> stands for the file descriptor when opening /sys/fs/cgroup in host filesystem. Usually it’s 7 or 8). When users execute commands inside the container via docker exec or kubectl exec by setting the working directory to the symlink, attackers can access host filesystem through /proc/<PID>/cwd, where <PID> stands for the PID of the process generated by docker exec or kubectl exec command.

You can follow along this Video for further Process.

So next go to Container and Add Container.

In create Container section you have to give a Name & an Image (teamcity:latest).

Next under Advance Settings you have add the Path mentioned in CVE in Working Dir Section.

he

Next Deploy the Container.

After a moment you will get that Container is Running.

So click on the Console and you will get an Interface like this.

Here type the User root and Click on Connect. And you will get a terminal from your Browser.

To get the Root Flag you have the follow the Command below.

Hurrahh!! We have pawned the Machine together. Hope you learn something New!!!

THANKS FOR READING!

If you like it don’t forget to Like it and Follow me for more Articles.

Happy Hacking