Authentication Bypass in JetBrains TeamCity On-Premises

This repository is a small lab and proof-of-concept environment for CVE-2024-27198, a JetBrains TeamCity authentication bypass caused by alternate-path routing confusion involving matrix parameters and the jsp query parameter. The repo contains four files: a detailed README, a docker-compose lab definition, an exploit script, and a SIEM/demo detection script. The main exploit logic is in exploit.py. It is a standalone Python script using requests/urllib3/argparse. It constructs an unauthenticated POST request to /hax?jsp=/app/rest/users/id:<id>/tokens/<name>;.jsp with a JSON body naming the token. If successful, TeamCity returns a bearer token for the targeted existing user. The script then performs a GET to /app/rest/users with Authorization: Bearer <token> to confirm authenticated API access. This is a real exploit, not merely a detector, and its practical capability is privilege acquisition via unauthorized token creation. The docker-compose.yml file builds a reproducible lab with two TeamCity containers: vulnerable jetbrains/teamcity-server:2023.11.3 on host port 8111 and patched 2023.11.4 on host port 8112. This makes the repository useful for side-by-side validation of exploitability and mitigation. The siem_simulator.py file is not part of exploitation itself; it is a blue-team demonstration utility. It tails /opt/teamcity/logs/teamcity-activities.log inside the teamcity-vulnerable container and alerts on delete_token_for_user, illustrating that token creation may be stealthy while token deletion can leave an audit trail. Overall purpose: provide a hands-on red-team/blue-team lab for demonstrating exploitation of TeamCity CVE-2024-27198, validating the patch, and showing one possible post-exploitation detection opportunity. The exploit is operational but basic: it has configurable target URL, user ID, and token name, but no advanced payload delivery beyond token generation and API verification.

Repository is a small lab/PoC project for CVE-2024-27198 affecting JetBrains TeamCity. It contains four files: a detailed README with reproduction and detection guidance, a docker-compose lab that launches vulnerable TeamCity 2023.11.3 on port 8111 and patched TeamCity 2023.11.4 on port 8112, an exploit script, and a SIEM demonstration script. The main exploit logic is in exploit.py: it builds the alternate-path URI /hax?jsp=/app/rest/users/id:<id>/tokens/<name>;.jsp, sends an unauthenticated POST with JSON {"name": token_name}, and if successful extracts the returned token. It then performs a GET to /app/rest/users using Authorization: Bearer <token> to verify authenticated REST API access. This demonstrates authentication bypass and unauthorized token creation for an existing user, effectively yielding API access as that user (default ID 1/admin). The exploit is operational but basic: payload values are user-supplied via CLI arguments and there is no broader post-exploitation automation. The siem_simulator.py file is not part of exploitation; it tails /opt/teamcity/logs/teamcity-activities.log inside the teamcity-vulnerable Docker container and alerts on the IOC string delete_token_for_user, illustrating post-exploit detection when an attacker deletes the rogue token. Overall, the repository’s purpose is educational/lab-focused: reproduce the TeamCity auth bypass, compare vulnerable vs patched behavior, and demonstrate a defensive detection angle.

This repository provides a mass exploitation proof-of-concept (PoC) tool for CVE-2024-27198, an authentication bypass and RCE vulnerability in JetBrains TeamCity. The main script, massexp.py, is a multi-threaded Python tool that scans a list of target TeamCity servers, attempts to bypass authentication, creates an admin user, generates an API token, and then attempts remote code execution using either a debug endpoint or by uploading a malicious plugin containing a JSP web shell. The tool supports proxying, structured output, and OS detection. The payload is a minimal JSP shell embedded in a plugin, capable of executing arbitrary commands. The code interacts with several TeamCity REST and admin endpoints, and is designed for research and authorized testing only. The repository includes a README with detailed usage instructions, requirements, and output examples. The exploit is a PoC, not weaponized, but demonstrates full compromise capabilities if the target is vulnerable.

This repository contains a Python exploit script (exploit.py) targeting JetBrains TeamCity servers vulnerable to CVE-2024-27198 (authentication bypass and RCE, affecting versions prior to 2023.11.4). The script can: - Add a new user with system administrator privileges using the TeamCity REST API. - Generate a user token for the new admin user. - Modify internal TeamCity properties to enable remote process execution. - Provide an interactive shell for executing arbitrary commands on the compromised server. - Scan a list of URLs in batch mode to identify potentially vulnerable TeamCity servers (without exploiting them). The main entry point is exploit.py, which uses several third-party Python libraries (requests, rich, prompt_toolkit, alive_progress) as specified in requirements.txt. The script is operational and provides both proof-of-concept and practical exploitation capabilities. The README.md provides detailed usage instructions, including single-target and batch scanning modes. The exploit interacts with specific TeamCity REST API endpoints, making it fingerprintable by the URLs it targets. The script is not part of a larger framework and is self-contained.

This repository contains a Python proof-of-concept exploit for CVE-2024-27198, an authentication bypass vulnerability in JetBrains TeamCity (versions before 2023.11.4). The main file, CVE-2024-27198.py, is a command-line tool that allows the user to target a single TeamCity server or scan multiple servers for the vulnerability. The exploit works by sending a specially crafted POST request to the /hax?jsp=/app/rest/users;.jsp endpoint, attempting to create a new SYSTEM_ADMIN user account with random credentials. If successful, the script outputs the new admin username and password, granting the attacker full administrative access to the TeamCity instance. The script supports multi-threaded scanning of targets from a file and uses colored output for clarity. The README.md provides a brief description of the vulnerability, its impact, and a disclaimer. No hardcoded IPs or domains are present; the target URL is supplied by the user. The exploit is a functional PoC and does not include weaponized or framework-based features.

This repository contains a Python exploit script (CVE-2024-27198-RCE.py) and a README.md. The exploit targets JetBrains TeamCity servers prior to version 2023.11.4, leveraging authentication bypass vulnerabilities (CVE-2024-27198 and CVE-2024-27199) to achieve remote code execution (RCE). The script works by first adding a new SYSTEM_ADMIN user to the TeamCity instance via a crafted HTTP POST request. It then retrieves an authentication token for this user, determines the underlying operating system (Linux or Windows) by executing a test command, and finally allows the attacker to execute arbitrary system commands interactively via the TeamCity debug API. The script supports the use of a proxy and allows customization of the username, password, and email domain for the new user. The README provides usage instructions, search dorks for finding TeamCity instances on various search engines, and references for further reading. The main entry point is CVE-2024-27198-RCE.py, which is a standalone Python script requiring Python 3.9 and the requests/urllib3 libraries. The exploit is operational and provides a shell-like interface for command execution on the compromised server.

This repository contains a single Python exploit script (RCity.py) and a detailed README. The exploit targets JetBrains TeamCity servers vulnerable to CVE-2024-27198 (RCE via REST API auth bypass) and CVE-2024-27199 (auth bypass). The script automates the following attack chain: (1) bypasses authentication by abusing a path traversal and query parameter trick (using /hax?jsp=...;.jsp), (2) creates a new admin user, (3) generates an authentication token for that user, (4) enumerates all users and their tokens, and (5) achieves remote code execution by sending crafted requests to the /app/rest/debug/processes endpoint. The exploit supports both Linux and Windows targets, adapting the RCE payload accordingly. The README provides background, usage instructions, and technical details about the vulnerabilities and the exploit's operation. No hardcoded IPs or domains are present; the script requires the attacker to specify the target TeamCity server URL. The exploit is operational, providing full compromise of the target TeamCity instance, including admin access and arbitrary command execution.

This repository contains a Python exploit script (CVE-2024-27198-RCE.py) targeting JetBrains TeamCity servers vulnerable to CVE-2024-27198 (authentication bypass leading to remote code execution). The exploit works by leveraging unauthenticated endpoints to gather server and OS information, then generates and uploads a malicious TeamCity plugin containing a JSP webshell. Once uploaded and activated, the webshell allows arbitrary command execution on the server via HTTP requests. The script supports both interactive command execution and integration with Behinder4.0 webshell protocol. The README provides usage instructions, fingerprinting dorks for search engines, and guidance for setting up a vulnerable TeamCity environment using Docker. The main attack vector is network-based, requiring access to the TeamCity web interface. Key endpoints include unauthenticated REST API paths and the deployed webshell URL. The exploit is operational, providing a working payload and interactive shell access if successful.

This repository contains a Go-based exploit for CVE-2024-27198, an authentication bypass vulnerability affecting JetBrains TeamCity Server version 2023.11.3 and below. The main file, CVE-2024-27198.go, is a standalone exploit that allows an attacker to create a new administrative user on a vulnerable TeamCity instance. The exploit works by sending a crafted HTTP GET request to the endpoint '/pwned?jsp=/app/rest/users;.jsp' to check for vulnerability, and if successful, follows up with a POST request to the same endpoint to create a new admin user with attacker-supplied credentials. The exploit supports optional proxying and includes a version check by querying '/login.html'. The README provides usage instructions and references to official advisories and blog posts. No hardcoded IPs or domains are present; the target server is specified at runtime. The exploit is operational and provides a direct path to full administrative compromise of vulnerable TeamCity servers.

This repository contains a Python exploit script (CVE-2024-27198.py) and a detailed README for CVE-2024-27198, an authentication bypass vulnerability in JetBrains TeamCity Server (versions <= 2023.11.3). The exploit targets a specific alternate path endpoint ('/pwned?jsp=/app/rest/users;.jsp') to bypass authentication and create a new administrative user on the TeamCity server. The script first checks the TeamCity version by scraping the login page, then attempts the exploit by sending a GET request to the vulnerable endpoint. If the server responds with HTTP 200, it proceeds to create a new user with SYSTEM_ADMIN privileges via a POST request to the same endpoint. The README provides background, affected versions, setup instructions for a vulnerable test environment, and usage examples. The exploit is operational, providing a working method to gain admin access to vulnerable TeamCity servers over the network.

This repository contains a Python exploit script (CVE-2024-27198-RCE.py) targeting JetBrains TeamCity servers vulnerable to CVE-2024-27198 (authentication bypass and remote code execution). The script automates the exploitation process by interacting with TeamCity REST API endpoints to gather version and OS information, create a new user, obtain a session token, and ultimately upload a malicious plugin containing a JSP webshell. If the target is running a vulnerable version (notably 2023.11.3), the script attempts to upload and activate the plugin, providing a webshell at a predictable URL. For other versions, it may allow direct command execution via debug endpoints. The exploit requires Python 3.9 and several dependencies (requests, urllib3, faker). The README provides usage instructions, fingerprinting dorks for finding TeamCity instances, and notes on known issues (such as the need for a proxy for plugin upload). The main attack vector is network-based, targeting HTTP endpoints exposed by TeamCity. The repository is operational, providing a working exploit with a functional payload (webshell), and is not part of a larger framework.