Difficulty: Easy–Medium Room: https://tryhackme.com/room/brains Category: Web Exploitation / RCE / Blue Team Analysis Tools Used: Nmap, Curl, Burp Suite, Netcat, Splunk

🧠 Introduction

The Brains room is a very interesting challenge because it combines:

  • 🔴 Red Team (exploitation)
  • 🔵 Blue Team (log analysis)

At its core, this machine revolves around exploiting a real-world vulnerability in TeamCity (CVE-2024–27198), leading to authentication bypass and remote code execution (RCE) (DEV Community)

🎯 Objective

  • Gain access to the server
  • Execute commands (RCE)
  • Capture the flag
  • Analyze attacker behavior (Blue Team part)

🔴 PART 1 — Red Team (Exploit the Server)

⚙️ Step 1 — Reconnaissance (Nmap)

Start with a full scan:

nmap -sC -sV -p- 10.113.152.21
None

🔍 Results

Open ports:

  • 22 → SSH
  • 80 → HTTP
  • 50000 → TeamCity

➡️ The key service is:

http://10.113.152.21:50000

💬 Port 50000 is not random — it's commonly used by TeamCity. Recognizing services by ports = huge advantage.

🌐 Step 2 — Service Enumeration

Navigate to:

http://10.113.152.21:50000
None

🔎 Observation

  • Login panel
  • TeamCity instance exposed
  • Version information visible

🧠 Step 3 — Vulnerability Identification

We identify:

👉 JetBrains TeamCity vulnerable to authentication bypass 👉 CVE: 2024–27198

None

This vulnerability allows:

  • creating admin users without authentication
  • full control over the application

💬 This is a perfect example of:

❌ "login page = secure"

✔️ "backend API = real attack surface"

💣 Step 4 — Exploitation (Auth Bypass)

We abuse TeamCity API.

🧪 Example request:

python3 52411.py --url http://10.113.152.21:5000/login.html
None

💥 Result

➡️ New admin account created without login

🔐 Step 5 — Login to TeamCity using exploit

Use created credentials:

imbrahimsql : ibrahimsql
None

⚙️ Step 6 — Achieving RCE

Inside TeamCity:

➡️ Create a build configuration

Add build step:

python3 rce.py -u ibrahimsql -p ibrahimsql -t http://10.113.152.21:5000
None

🐚 Step 7 — Reverse Shell

Start listener:

nc -lvnp 4444

📁 Step 8 — Capture Flag

Navigate:

/home/ubuntu/flag.txt
None

🎯 User flag obtained

🔵 PART 2 — Blue Team (Investigation)

🧠 Step 9 — Incident Analysis

Now we switch perspective.

➡️ Use Splunk to analyze logs

🔍 Step 10 — Log Investigation

Search for:

  • suspicious API calls
  • user creation events
  • unusual login patterns

🧾 Findings

  • API endpoint /app/rest/users used
  • new admin account created
  • suspicious build execution

🔎 Step 11 — Attack Timeline

  1. Attacker scans ports
  2. Finds TeamCity
  3. Exploits auth bypass
  4. Creates admin user
  5. Executes malicious build
  6. Gains shell

🏁 Final Result

✔️ Authentication bypass ✔️ Remote Code Execution ✔️ System compromise ✔️ Attack traced via logs

🧩 Key Takeaways

🔑 1. APIs are often more vulnerable than UI

  • Login page ≠ real protection
  • Always test backend endpoints

🔑 2. Real CVEs matter

This wasn't theoretical — this was:

👉 real-world exploit (TeamCity CVE-2024–27198)

🔑 3. RCE doesn't need exploits

Sometimes:

  • no buffer overflow
  • no complex payload

➡️ just misconfiguration + logic flaw

🔑 4. Blue Team is just as important

  • detection
  • logging
  • correlation

🚀 Final Thoughts

The Brains room is excellent because it teaches:

  • real-world exploitation
  • attack chaining
  • defensive analysis

🔥 Bonus Tips

  • Always check:
  • /ap
  • /rest
  • /v1

Look for:

  • undocumented endpoints
  • auth bypass vectors

Happy hacking 🚀