[HTB] runner (Linux, Medium)

┌─[✗]─[root@htb-1ljuyte1mq]─[/home/chaem]
└──╼ #gobuster dir -u http://runner.htb:8000 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://runner.htb:8000
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/06/02 14:59:35 Starting gobuster in directory enumeration mode
===============================================================
/health               (Status: 200) [Size: 3]
/version              (Status: 200) [Size: 9]
                                             
===============================================================
2024/06/02 15:03:13 Finished
===============================================================

─[root@htb-1ljuyte1mq]─[/home/chaem]
└──╼ #gobuster dir -u http://runner.htb -t 50 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://runner.htb
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-1.0.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/06/02 15:08:58 Starting gobuster in directory enumeration mode
===============================================================
/assets               (Status: 301) [Size: 178] [--> http://runner.htb/assets/]
                                                                               
===============================================================
2024/06/02 15:12:38 Finished
===============================================================

https://github.com/danielmiessler/SecLists.git

GitHub - danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used

ffuf -w /home/chaem/SecLists/Discovery/DNS/combined_subdomains.txt -u http://runner.htb -H "HOST:FUZZ.runner.htb" -t 2000 -fs 154

 

teamcity version 2023.05.3 버전의 취약점 검색

https://github.com/Zyad-Elsayed/CVE-2023-42793

GitHub - Zyad-Elsayed/CVE-2023-42793: JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE), CVE-2023-42793

backup zip 파일 다운로드 후 압축 해제해서, 파일들 탐색

/projects/AllProjects/pluginData/ssh_keys 경로에서 id_rsa 키 발견하여, john으로 ssh 접속 가능

ssh john@teamcity.runner.htb -i  id_rsa

거기서 user.txt  획득 가능

portainer-administration.runner.htb 경로 발견

matthew 의 해시 값 발견

matthew의 해시 값 크랙하여 패스워드 획득 : piper123

matthew 계정으로 로그인

docker container 관련 escalation 찾아보면 다음 정보 나옴

https://rioasmara.com/2021/08/15/use-portainer-for-privilege-escalation/

Use Portainer for Privilege Escalation

버전이 달라서 그런지 마운트가 제대로 되지 않음.

우선 volume을 다음 옵션을 추가해서 생성

이미지의 ID를 가져온다.

만든 컨테이너에 console로 붙으면 ssh 연결이 되고, /mnt/ 폴더에 가면 마운트 되어 있다. 거기서 /root/ 경로로 가면 root.txt를 획득할 수 있다.

 

runc working directory breakout CVE 이용도 가능 → 그래서 이름이 runner 인가 싶기도!

https://labs.withsecure.com/publications/runc-working-directory-breakout--cve-2024-21626

runc working directory breakout (CVE-2024-21626)

 

portainer 설정 관련 문서

https://docs.portainer.io/user/docker/volumes/add

Add a new volume | 2.19 | Portainer Documentation