HackTheBox - Runner

00:00 - Introduction 01:00 - Start of NMAP 05:00 - Discovering the TeamCity Subdomain, which has a version banner showing it running 129390 and is vulnerable to CVE-2023-42793 07:30 - Exploring the TeamCity Authentication Bypass vulnerability to see why URL's ending in RPC2 don't require authentication 11:30 - Logged in as an administrator on TeamCity creating a Backup, which has a Database Backup and any SSH Keys associated with projects 18:30 - Analyzing the SSH Key to discover the username that generated it and logging into the box 20:50 - Going another route on TeamCity, Enabling Debug Mode than running commands 27:55 - Showing how to get RCE on Linux when you can specify a Binary with only 1 parameter (Using AWK) 31:00 - Shell on the box as John, doing basic enumeration 34:00 - Logged into Portainer as Matthew (cracked password from database dump) 37:50 - Exploiting RUNC by setting the working directory of a container to /proc/self/fd/8, then gaining access to the root filesystem