An insecurely configured TeamCity continuous integration environment.
Work in progress: Deployment code coming soon eventually .
There may be more than one path through PwnCity, but this is the one I'll be presenting on Feb 24th at the OWASP Sacramento Chapter meeting.
Note: Operational security is largely ignored here since this is a demo.
- Scan the IP to discover SSH and TeamCity
nmap -Pn -p- 52.234.0.18
. - Browse to the TeamCity URL http://52.234.0.18:8111.
- Navigate to http://52.234.0.18:8111/registerUser.html create a new user
bob
, passwordbobhacks?
.
- As
bob
navigate toProjects > SimpleMavenSample > Build > Settings
We could tunnel from our initial foothold. Knowing that RDP is open on two build agents would allow us to attempt to authenticate via the creds we've found...but that's not as fun.
- Explore the TeamCity server a bit and check out the upser user token
cat /home/dev/TeamCity/TeamCity/logs/teamcity-server.log | grep "Super user"
.
- Now login as the Super User!
- Create new Project PwnAgent via
Administration > Projects > Create project
, and get a shell on the build agents. - Edit the build step so that it executes Always, even if build stop command was issues, and modify the following:
- Command executable:
cmd.exe
- Command parameters:
/c %system.teamcity.build.checkoutDir%/launcher.bat
- Once you can see how these work, you understand how code execution works here, and can modify it to do what you like.
- Alternatively, you can avoid using files in the repo, leaving it blank. All code can be shoved into a build step.
- Command executable:
- Select the
...
next toRun
on the menu, and then on the desired agent you're targeting. If all goes well you'll have an agent call back.
- Run a port scan via
powershell/situational_awareness/network/portscan
module. Discover that10.0.0.7
has3389,445,139,135
all open. - Run Mimikatz to dump login creds and get
bruno
's password. - Run
powershell/lateral_movement/invoke_smbexec
to get beacon onBruno-PC
via NTML hash. - Loot Bruno's PC.
- Kali Linux: VM on operator machine.
- Ubuntu 20.04LTS: Empire Server
- Ubuntu 20.04 TeamCity
- Windows 10: BuildAgent01
- Windows 7: BuildAgent02
- Windows 10: Bruno-PC
Credentials chosen from rockyou.txt
.
- bruno:AMOTEbruno84 (Windows)
- dev:Roblerino1995 (Windows/Linux)
- admin:aut0magic (TeamCity)
- Deploy with Terraform.
- Install things with Ansible.
- CLI variable to tune up or down defenses (kind of like a diffuculty level)
- TBD
PwnAgent01 has Microsoft Defender enabled. Although it's certainly still possible to defeat this, the malicious build step we demonstrated will be blocked.
This section is just a collection of snippets that were useful when administering the lab environment.
- From Kali, dynamic port forward on
TeamCity
host to access local resourcesssh -D 9050 dev@52.234.0.18
. - RDP via Proxychains with
proxychains4 xfreerdp /u:dev /v:10.0.0.6:3389
.