RCity – CVE-2024-27198 (RCE & Admin Account Creation) & CVE-2024-27199 (Auth Bypass) Exploiting CVE-2024-27198 & CVE-2024-27199 RCity is a Python script that interacts with a vulnerable TeamCity server. The CVE facilitates for unauthorised admin account creation, bypassing 403's on the domain. Whilst also achieving RCE, through the Debug/Processes route. Usage To use the script, you need to provide the target TeamCity server URL as a command-line argument with the -t or –target argument: bash python3 RCity.py -t https://teamcity.com:8111 You can increase output verbosity with the -v or –verbose option: bash python3 RCity.py -t https://teamcity.com:8111 –verbose You can send one shot commands directly through -c or –command option, if you want an interactive shell DO NOT use this option: bash python3 RCity.py -t https://teamcity.com:8111 -c id Features Admin Account Creation Remote Code Execution Generating Authorisation Tokens Enumerating Users Gatherin all Private Auth Tokens of Users Gathering Server Details Example RCE Token Generation Documentation Here I'll go through the functions used in this project, to hopefully give you a better comprehension behind this exploit and the vulnerbailities associated with it. Background The nature of the vulnerability correlates between both CVE-2024-27198 & 99 due to the nature of the issue being produced from the same authentication bypass for REST API routes within JetBrains TeamCity servers. However, the…Read More