$$ Red43 $$

Want to start this Docker container locally?

docker run -d --restart always --name flag-red43 --cap-add=NET_ADMIN -p 9036:80 -p 9037:22 joshbeck2024/ctf-teamcity-cve-2023-42793-red31

IP Address: 172.25.200.200

Port 9036: Web

Port 9037: SSH

• Platforms like TeamCity enable developers to work together by allowing unit tests to be created before code is pushed to development codebases, ensuring that changes won’t break critical functionality.
• TeamCity, like Jenkins, is a CI/CD tool for automating software deployment.
• In a large team, you don't want a developer pushing broken code to the main project, as it could disrupt everyone else’s work.
• Tools like TeamCity help by running automated unit tests before code is integrated, ensuring that changes don't break key functionality.

The front page helpfully gives us the version number

• 2023.05.3 (build 129390)

An explanation of the CVE related to this version of TeamCity can be found here.

What are we exploiting?

• When this application receives an HTTP request, it is processed by a class that the TeamCity developers named RequestInterceptors.
  • This is a custom class they created from scratch.
  • This class contains methods that determine whether an authorization token obtained upon successful login is required for the endpoint requested by the user.
  • One exception in the RequestInterceptors class is the endpoint http://IP_ADDRESS_OF_TEAMCITY/**/RPC2, which does not require an authentication token.
    • This means any URL ending in RPC2 was designed to be publicly accessible without authorization.
  • A clear explanation with the relevant code snippets can be found here.

Proof of Concept:

• Google: TeamCity 2023.05.3 CVE RPC2 Proof of Concept
  • This will lead you to the ExploitDB PoC here. (DOWNLOAD THIS)

Looking at the code before you run it is always advisable!