HackTheBox - Runner
00:00 - Introduction
01:00 - Start of NMAP
05:00 - Discovering the TeamCity Subdomain, which has a version banner showing it running 129390 and is vulnerable to CVE-2023-42793
07:30 - Exploring the TeamCity Authentication Bypass vulnerability to see why URL's ending in RPC2 don't require authentication
11:30 - Logged in as an administrator on TeamCity creating a Backup, which has a Database Backup and any SSH Keys associated with projects
18:30 - Analyzing the SSH Key to discover the username that generated it and logging into the box
20:50 - Going another route on TeamCity, Enabling Debug Mode than running commands
27:55 - Showing how to get RCE on Linux when you can specify a Binary with only 1 parameter (Using AWK)
31:00 - Shell on the box as John, doing basic enumeration
34:00 - Logged into Portainer as Matthew (cracked password from database dump)
37:50 - Exploiting RUNC by setting the working directory of a container to /proc/self/fd/8, then gaining access to the root filesystem
Watch video HackTheBox - Runner online without registration, duration hours minute second in high quality. This video was added by user IppSec 24 August 2024, don't forget to share it with your friends and acquaintances, it has been viewed on our site 10,089 once and liked it 335 people.