Share
## https://sploitus.com/exploit?id=0226128F-57F7-53B0-8163-83E88DDAC4C6
# Incident Response Report: TeamCity Compromise (CVE-2024-27198)

**Analyst:** Belal Abdelsalam  
**Date:** July 2026  
**Lab/Environment:** CyberDefenders JetBrains  

---

## ๐Ÿ“„ Executive Summary
This report documents the forensic analysis of a compromised JetBrains TeamCity server (version 2023.11.3). By analyzing the provided network packet capture (`.pcap`), the investigation confirmed that an external threat actor bypassed authentication mechanisms using a path traversal vulnerability (CVE-2024-27198). The attacker subsequently uploaded a malicious plugin containing a Java Server Page (JSP) webshell, achieving Remote Code Execution (RCE) and conducting further system enumeration.

---

## ๐Ÿ” 1. Initial Access & Reconnaissance
The investigation began by identifying the source of the anomalous traffic. Using **Wireshark**, I navigated to `Statistics > Conversations > IPv4` to identify endpoints with the highest volume of communication with the web server.

* **Attacker IP:** `23.158.56.196`
* **Target Server:** `2023.11.3`

Filtering the traffic for HTTP POST requests (`http.request.method == "POST"`), I identified the initial exploitation vector. The attacker leveraged a known authentication bypass flaw by appending structural semi-colons to REST API endpoints:
* **Exploit Request:** `POST /app/rest/users;.jsp`
* **Vulnerability Identified:** CVE-2024-27198

This allowed the attacker to generate an administrative access token without valid credentials.

---

## ๐Ÿช 2. Persistence via Webshell Deployment
With administrative access secured, the attacker moved to establish persistence. I filtered the network stream for file uploads using `http.content_type contains "multipart/form-data"`.

Following the TCP stream of these requests revealed the attacker uploading a malicious TeamCity plugin formatted as a `.zip` archive. 

* **Malicious Archive:** `NSt8bHTg.zip`
* **Webshell Payload:** Examining the plaintext HTTP stream of the zip upload revealed the internal directory structure, confirming the presence of a JSP backdoor named `NSt8bHTg.jsp`.

---

## โš™๏ธ 3. Execution & System Enumeration
To understand the extent of the compromise, I tracked the attacker's interactions with the newly deployed webshell. 

By applying the filter `http.request.uri contains "cmd="`, I successfully isolated the Command and Control (C2) traffic. The attacker passed operating system commands directly through the URL parameters.

Following the TCP streams of these HTTP GET requests allowed me to read the server's plaintext responses, revealing the attacker's enumeration steps:

1. **User Discovery:** Executed `whoami` to determine privilege levels.
2. **Network Discovery:** Executed `ls` to map the internal files.
3. **Defense Evasion:** The attacker attempted to hide their tracks by explicitly adding directory exclusions to Windows Defender for the paths `C:\TeamCity` and `C:\Windows`.

---

## ๐Ÿšฉ Indicators of Compromise (IOCs)

| Type | Indicator | Description | MITRE ATT&CK |
| :--- | :--- | :--- | :--- |
| **IP Address** | `23.158.56.196` | Source of the attack | T1190 |
| **URL Path** | `/app/rest/users;.jsp` | Auth bypass exploit vector | T1190 |
| **File** | `NSt8bHTg.zip` | Malicious TeamCity plugin | T1505.003 |
| **File** | `NSt8bHTg.jsp` | Webshell backdoor | T1505.003 |

---

## ๐Ÿ›ก๏ธ Conclusion & Remediation Notes
The threat actor successfully leveraged CVE-2024-27198 to gain initial access, uploaded a custom webshell for persistence, and executed system commands to enumerate the host and evade local defenses. 

**Recommended Actions:**
* **Isolate:** Immediately disconnect the affected TeamCity server from the network.
* **Patch:** Upgrade TeamCity to version 2023.11.4 or apply the JetBrains security patch plugin.
* **Hunt:** Scan the broader network for the identified IOCs to ensure the attacker did not pivot to internal infrastructure using the compromised server as a beachhead.

---
*Disclaimer: This repository is for educational purposes only as part of a controlled CyberDefenders lab environment. Do not use these techniques on systems you do not own or have explicit permission to test.*