## https://sploitus.com/exploit?id=B2EEBBD9-E899-5B83-B5D5-291AB6076D26
Exploiting CVE-2024-27198-RCE Vulnerability
In this project, I exploited the CVE-2024-27198-RCE vulnerability to perform a remote code execution (RCE) attack on a vulnerable TeamCity server. The vulnerability allows uploading and activating a malicious plugin that provides access to the remote system via a webshell, granting the ability to execute commands and retrieve data from the server.
Steps Taken:
Preparing for the Attack:
I began by identifying the target server, which was accessible at http://10.10.217.209:50000. I then used the CVE-2024-27198-RCE.py script to exploit the vulnerability on the server.
Uploading the Malicious Plugin:
During the exploitation process, the script automatically uploaded a malicious plugin to the server, which was successfully activated. The webshell that allowed access to the server was available at:
http://10.10.217.209:50000/plugins/zHXm20lm/zHXm20lm.jsp.
Executing Commands on the Server:
Through the webshell, I executed various commands on the server, such as:
whoami โ showed the current user on the server (ubuntu).
ls โ listed files in the directory.
cat /home/ubuntu/flag.txt โ opened the flag file that I needed to find.
Retrieving the Flag:
By executing the cat /home/ubuntu/flag.txt command, I was able to retrieve the flag:
THM{faa9bac345709b6620a6200b484c7594}.
Tools Used:
Python 3: For running the exploit script.
CVE-2024-27198-RCE.py: The main exploit that uses the vulnerability to upload the plugin.
Webshell: The ofbehinder3.0 plugin, which provided remote access to the server and allowed command execution.
Target Server: TeamCity, where the vulnerability was found.
Risks and Conclusion:
By exploiting this vulnerability, I gained access to the server and was able to retrieve critical information. This attack highlights the significant risks to TeamCity servers that have not been updated in a timely manner. I recommend always keeping software versions up to date and installing necessary security patches.
Screenshots:
Running the exploit script:
Uploading the plugin:
Executing commands via the webshell:
Retrieving the flag