JetBrains TeamCity Authentication Bypass RCE

This repository contains a Python exploit for CVE-2023-42793, a critical authentication bypass vulnerability in JetBrains TeamCity. The main file, CVE-2023-42793.py, is a standalone script that can scan single or multiple TeamCity instances for the vulnerability. It works by interacting with the TeamCity REST API to delete and create tokens for the admin user, then uses the obtained token to create a new administrator account with a known password. The exploit then verifies the new account by attempting a login. Results, including the new credentials and login URL, are saved to an output file. The script supports both single-target and batch scanning modes, with configurable threading and timeout options. The README provides usage instructions and expected output formats. No hardcoded IPs or domains are present; targets are supplied by the user. The exploit is operational and provides full admin access to vulnerable TeamCity servers.

This repository contains two Python exploit scripts targeting JetBrains TeamCity servers vulnerable to CVE-2023-42793. The first script, 'exploit-rce.py', automates the process of obtaining a user token, enabling debug process execution, and then allows the attacker to execute arbitrary commands on the target server via the TeamCity REST API. The second script, 'user_add_administrator.py', creates a new administrator user on the target TeamCity instance by sending a crafted POST request with the appropriate role assignment. Both scripts interact with specific REST API endpoints exposed by TeamCity, and require the target to be accessible over HTTP. The README provides usage examples and legal disclaimers. The repository is operational and provides working exploit code for RCE and privilege escalation on vulnerable TeamCity servers.

This repository is a Go-based exploit targeting JetBrains TeamCity servers. The main logic is implemented in 'exploiter.go' and orchestrated by 'main.go'. The exploit works by authenticating to the TeamCity server, enabling debug mode (which allows arbitrary process execution), and then using the debug process API to download a Python reverse shell script from a remote URL and execute it on the server. The endpoints targeted are specific TeamCity REST API endpoints for user token management, enabling debug mode, and executing processes. The exploit requires the attacker to provide the TeamCity server URL and the URL of the reverse shell script. If successful, it grants the attacker remote shell access to the TeamCity server. The code is operational and provides a working exploit chain, but the payload (reverse shell) must be hosted by the attacker. The repository contains 5 files, with the main exploit logic in 'exploiter.go' and the entry point in 'main.go'.

This repository contains a single Nuclei template YAML file targeting CVE-2023-42793, a critical authentication bypass and remote code execution vulnerability in JetBrains TeamCity servers prior to version 2023.05.4. The template automates the exploitation process by sending a sequence of HTTP requests: it first manipulates user tokens to bypass authentication, then enables debug process execution by editing internal configuration, and finally executes arbitrary system commands via the TeamCity REST API. The exploit supports both Windows and Linux/Unix targets by issuing appropriate commands. The file is structured for use with the Nuclei vulnerability scanner, and includes metadata, references, and search queries for identifying TeamCity instances. The main attack vector is network-based, exploiting exposed TeamCity HTTP endpoints. The endpoints used are fingerprintable and directly relate to the exploitation chain. The exploit is operational and can be used to achieve RCE if the target is vulnerable.

This repository is a proof-of-concept exploit for CVE-2023-42793, targeting JetBrains TeamCity servers. The main exploit logic is implemented in 'main.go', written in Go. The exploit takes three command-line arguments: the target TeamCity server's URL, a username, and a password for the new user to be created. It first retrieves an authentication token for the admin user (id:1) by sending a GET request to the TeamCity REST API endpoint '/app/rest/users/id:1/token/RPC2'. Using this token, it then sends a POST request to '/app/rest/users' to create a new user with SYSTEM_ADMIN privileges. The exploit leverages insecure TLS (skipping certificate verification) and hardcodes the email and role for the new user. The repository contains only one code file (main.go) and several IDE configuration files. No detection scripts or fake code are present; the exploit is operational and provides administrative access to the attacker if the target is vulnerable.

This repository provides a two-stage exploit for CVE-2023-42793, a critical vulnerability in JetBrains TeamCity. The structure consists of two main Python scripts: 1. 'exploit.py': This script exploits the vulnerability to create a new administrator account on a vulnerable TeamCity server. It interacts with the TeamCity REST API to obtain or reset an admin token and then uses it to create a new admin user with either random or user-specified credentials. The script prints and optionally saves the token and credentials for later use. 2. 'rce.py': This script leverages the newly created admin account (using the token from the previous step) to enable debug processes on the TeamCity server and then execute arbitrary OS commands via the TeamCity REST API. It supports executing any command, including reverse shell payloads, by sending crafted HTTP requests. The script requires the token file generated by 'exploit.py'. The repository also includes a 'requirements.txt' for dependencies and a detailed README.md with usage instructions, examples, and references. The exploit is operational, providing full admin access and remote code execution on vulnerable TeamCity instances. The main attack vector is network-based, targeting accessible TeamCity REST API endpoints. The scripts are intended for use against systems the tester is authorized to assess.

This repository contains a Python exploit script (CVE-2023-42793.py) targeting JetBrains TeamCity servers vulnerable to CVE-2023-42793. The exploit leverages TeamCity's REST API to first delete and then create a user token for the default user (id:1), and subsequently uses this token to create a new user with SYSTEM_ADMIN privileges and a known password. The script can target a single URL or a list of URLs, and successful exploitation is logged to a file. The README provides clear usage instructions, dorking tips for finding vulnerable servers, and a detailed explanation of the exploit's workflow. The main attack vector is network-based, exploiting unauthenticated access to TeamCity's REST API endpoints. The repository is operational, providing a working exploit that results in full administrative compromise of the target TeamCity instance.

This repository is a Rust-based exploit for CVE-2023-42793, a vulnerability in JetBrains TeamCity. The exploit consists of a single main Rust source file (src/main.rs), a Cargo.toml manifest, and a README.md with usage instructions. The exploit takes three arguments: the TeamCity server URL, a username, and a password. It interacts with the TeamCity REST API by first deleting a specific token endpoint, then retrieving a new token, and finally using that token to create a new user with SYSTEM_ADMIN privileges. The exploit demonstrates the ability to programmatically create an administrative user on a vulnerable TeamCity instance, effectively granting the attacker full control. The code uses the reqwest library for HTTP requests, serde_json for JSON handling, and roxmltree for XML parsing. No hardcoded endpoints are present except for the REST API paths, and the exploit is operational, requiring only the target URL and desired credentials.

This repository contains a Python exploit script (main.py) targeting JetBrains TeamCity servers vulnerable to CVE-2023-42793. The exploit requires a valid TeamCity Bearer token (which must be obtained separately) and the target TeamCity server's URL and port. The script first enables debug mode on the TeamCity server by sending a crafted HTTP POST request. It then sends another POST request to trigger remote code execution by instructing the server to execute a reverse shell command, which connects back to the attacker's netcat listener. The payload is a standard bash reverse shell, encoded for URL transmission. The repository consists of the exploit script and a README file with usage instructions. The exploit is operational and provides remote shell access to the attacker if the prerequisites are met.

This repository provides two Bash scripts exploiting CVE-2023-42793, a critical vulnerability in JetBrains TeamCity. The first script (CVE-2023-42793_admin.sh) creates a new SYSTEM_ADMIN user with known credentials by abusing the REST API, allowing an attacker to gain administrative access. The second script (CVE-2023-42793_rce.sh) enables a debug setting and then executes arbitrary commands on the target server, returning the output. Both scripts automate the process of obtaining a bearer token via a vulnerable endpoint, performing the exploit action, and cleaning up by deleting the token. The repository is structured simply, with two exploit scripts and a README providing usage instructions and proof-of-concept images. The main attack vector is network-based, targeting exposed TeamCity REST API endpoints. No hardcoded IPs or domains are present; the scripts require the attacker to supply the target's base URL and port.