.png)
4 months ago
30 BOOK THIS SPACE FOR AD
ARTICLE ADHello, I’m Niranjan, and this is my first article on solving a Hack The Box (HTB) medium-level machine.
I’m passionate about cybersecurity and excited to share my journey and insights as I navigate through various challenges. In this post, I’ll be diving into Runner Writeup, a Windows box on Hack The Box.
Throughout this article, I’ll detail my journey and share how I successfully breached Runner to retrieve the flags.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Nmap TCP Port Scan
I started with an Nmap scan to identify open ports and services on the target machine.
$nmap -A -v 10.10.11.13
This revealed three open ports: 22, 80, and 8000.
Next, I tried accessing the IP address in Firefox, but it redirected me to runner.htb.
To proceed, I added this hostname to my /etc/hosts file:
$ip=10.10.11.13
$printf “\n%s\t%s” “$ip” “runner.htb” | sudo tee -a /etc/hosts
Enumeration
Upon loading the page, I decided to look for any subdomains. I used ffuf to find subdomains, trying common wordlists initially without success.
$ffuf -w /path/to/wordlist -u http://FUZZ.runner.htb
I used this wordlist with ffuf, and finally discovered a subdomain: teamcity.runner.htb.
$ffuf -w wordlist.txt -u http://FUZZ.runner.htb
I added this subdomain to my /etc/hosts file as well:
$printf “\n%s\t%s” “$ip” “teamcity.runner.htb” | sudo tee -a /etc/hosts
Exploitation
I searched for exploits related to TeamCity and found one for version 2023.05.3: TeamCity Admin Account Creation CVE-2023–42793.
$searchsploit teamcity
I ran the exploit to create an admin account:
$python3 51884.py -u http://teamcity.runner.htb
The exploit provided a username and password. I logged in and navigated to the Administration section, where I found three user accounts.
I went to the Backup tab, initiated a backup, and downloaded the zip file to my machine. During the enumeration of this backup file, I found a database dump with hashed passwords and an “id_rsa” key.
$ssh -i id_rsa john@runner.htb
Logging in with the SSH key, I successfully accessed the user account but only found the user flag, not root.
Privilege Escalation
After some further enumeration, I discovered another service: Portainer, a container management platform.
I logged into Portainer using credentials I decrypted with hashcat:
$hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
Using the decrypted password, I logged into Portainer with the matheeve account. In Portainer, I found two Docker images: ubuntu:latest and teamcity:latest.
I created a container using the teamcity:latest image and accessed its console as the root user.
Finally, I got root access and captured the root flag.
This concludes my journey in solving the Runner machine on Hack The Box. It was a challenging and insightful experience that reinforced the importance of thorough enumeration and understanding the intricacies of different tools and exploits. I hope this writeup helps fellow cybersecurity enthusiasts in their own adventures.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
I hope you enjoyed this article. Feel free to reach out with any questions or feedback. Happy hacking!
Bengali (Bangladesh) · 
English (United States) ·