00:00 - Introduction
01:00 - Start of NMAP
05:00 - Discovering the TeamCity Subdomain, which has a version banner showing it running 129390 and is vulnerable to CVE-2023-42793
07:30 - Exploring the TeamCity Authentication Bypass vulnerability to see why URL's ending in RPC2 don't require authentication
11:30 - Logged in as an administrator on TeamCity creating a Backup, which has a Database Backup and any SSH Keys associated with projects
18:30 - Analyzing the SSH Key to discover the username that generated it and logging into the box
20:50 - Going another route on TeamCity, Enabling Debug Mode than running commands
27:55 - Showing how to get RCE on Linux when you can specify a Binary with only 1 parameter (Using AWK)
31:00 - Shell on the box as John, doing basic enumeration
34:00 - Logged into Portainer as Matthew (cracked password from database dump)
37:50 - Exploiting RUNC by setting the working directory of a container to /proc/self/fd/8, then gaining access to the root filesystem
Support the originator by clicking the read the rest link below.
