Post

Incident Response Report: JetBrains TeamCity — Auth Bypass, Web Shell & Credential Tampering

Posted
By El OMARI Zakaria
7 min read
Incident Response Report: JetBrains TeamCity — Auth Bypass, Web Shell & Credential Tampering

Platform: CyberDefenders Challenge: JetBrains Category: Network Forensics Difficulty: Medium Tools: Wireshark, AbuseIPDB Achievement: Proof of Completion

1. Executive Summary

Incident Type: CI/CD Server Compromise / Authentication Bypass / Web Shell Deployment / Credential Tampering

Exploited Application: JetBrains TeamCity 2023.11.3 (build 147512)

A packet capture (Capture.pcap) was collected after anomalous traffic was detected against a JetBrains TeamCity CI/CD server. Analysis of the full PCAP reconstructs a complete multi-phase attack chain:

The attacker (23.158.56.196) first performed a brute-force attack against the TeamCity login page, then pivoted to exploit CVE-2024-27198 — a critical authentication bypass in the TeamCity REST API that allowed account creation without valid credentials. Using the newly created administrator account, the attacker uploaded a JSP web shell via the plugin upload mechanism, executed system commands through it (including a Docker container escape), and finally tampered with existing user credentials to establish persistent backdoor access.

Indicators of Compromise (IOCs)

TypeIndicatorDescription
TeamCity Server3.71.79.4:8111Targeted CI/CD server
Attacker IP23.158.56.196External threat actor (GTHost, Frankfurt, Germany)
Internal Server172.31.25.119TeamCity internal/backend IP
Docker Network172.17.0.2Container reverse proxy / Docker bridge
Exploited AppTeamCity 2023.11.3 (build 147512)Vulnerable to CVE-2024-27198
CVECVE-2024-27198Authentication bypass in TeamCity REST API
Auth Bypass Endpoint/hax?jsp=/app/rest/server;.jspSemicolon injection path traversal
Created Accountc91oyemwRogue SYSTEM_ADMIN account created via API
Account PasswordCL5vzdwLuKCredential set during API account creation
Web Shell NameNSt8bHTg.zip / NSt8bHTg.jspMalicious plugin uploaded via /admin/pluginUpload.html
Web Shell Path/plugins/NSt8bHTg/NSt8bHTg.jspActive shell endpoint after plugin installation
Tampered Credential File/tmp/Creds.txtFile written via web shell command execution
MITRE TechniqueT1565.001Stored Data Manipulation — credential file tampering

MITRE ATT&CK Mapping Overview

TacticTechniqueID
Initial AccessExploit Public-Facing Application (TeamCity CVE-2024-27198)T1190
PersistenceCreate Account — REST API admin creationT1136.001
ExecutionServer-Side Web Shell (JSP)T1505.003
Privilege EscalationValid Accounts — Rogue AdminT1078
Defense EvasionContainer Escape via DockerT1611
ImpactStored Data Manipulation — Credential TamperingT1565.001

2. Phase 1: Network Triage — Identifying the Attacker (Questions 1–3)

Objective: Identify the attacker’s IP, the targeted server, and the number of endpoints in the capture.

Opening Capture.pcap in Wireshark and navigating to Statistics → Endpoints immediately reveals the full set of IP addresses communicating in this capture.

Wireshark Endpoints dialog showing the IPv4 tab with 411 endpoints. The highlighted entry is 23.158.56.196 with 6,249 packets (3 MB total) — standing out from the internal network addresses (172.17.0.2, 197.32.146.131, 172.31.25.119, 156.197.187.149) as the primary external actor. The server at 3.71.79.4 is the TeamCity target.

The Conversations view (Statistics → Conversations → IPv4) confirms the attacker’s primary communication path: 23.158.56.196 ↔ 172.17.0.2 with 4,166 packets and 2 MB of data — the heaviest external conversation in the capture.

Wireshark IPv4 Conversations showing the highlighted row for 23.158.56.196 ↔ 172.17.0.2 with 4,166 packets and 2 MB of data, a start time of 755 seconds into the capture, and a duration of 1,661 seconds — identifying the primary attacker-to-server communication path.

Cross-referencing 23.158.56.196 on AbuseIPDB confirms it is associated with prior malicious activity — reported for web app attacks and brute-force attempts, registered to GTHost (Frankfurt, Germany, AS63023).

AbuseIPDB report for 23.158.56.196 showing the IP was found in the database with 4 prior abuse reports, listed as a Data Center/Web Hosting/Transit IP (ISP: GTHost), located in Frankfurt am Main, Germany (AS63023). Abuse categories include Web App Attack and Brute-Force.

Answer Q1

What is the attacker’s IP address?

23.158.56.196

Answer Q2

What is the IP address of the targeted TeamCity server?

3.71.79.4

Answer Q3

How many IPv4 endpoints are present in the packet capture?

411

3. Phase 2: Brute-Force Attack (Questions 4–5)

Objective: Identify the brute-force target endpoint and the number of attempts made.

Applying the Wireshark filter ip.addr == 23.158.56.196 && http isolates all HTTP traffic from the attacker. Scrolling through the early packets reveals a high-volume sequence of POST requests to /loginSubmit.html — the TeamCity authentication endpoint — returning alternating 200 and 401 status codes.

Wireshark packet list filtered for ip.addr == 23.158.56.196 && http showing the brute-force sequence: repeated POSTloginSubmit.html HTTP/1.1 (application/x-www-form-urlencoded) requests from 23.158.56.196 targeting 172.31.25.119, with responses alternating between HTTP 200 OK and HTTP 401 Unauthorized — a classic credential stuffing brute-force pattern.

The 401 responses confirm failed authentication attempts. The pattern of request sizes (1388 bytes, 1396 bytes, 1132 bytes) reflects different credential pairs being submitted. The attacker also probed /authenticationTest.html?csrf — TeamCity’s CSRF token endpoint — between attempts, indicating an automated tool aware of TeamCity’s form-based authentication flow.

Answer Q4

What endpoint was targeted during the brute-force attack?

/loginSubmit.html

Answer Q5

What HTTP status code indicated failed login attempts?

401

4. Phase 3: CVE-2024-27198 Authentication Bypass (Questions 6–9)

Objective: Identify the CVE exploited, the bypass endpoint, the rogue account created, and the TeamCity version.

After the brute-force phase, the attack changes character entirely. A new request pattern appears: GET requests to /hax?jsp=/app/rest/server;.jsp — a non-standard path that weaponizes a semicolon injection flaw in TeamCity’s URL routing.

Searching for TeamCity 2023.11.3 CVE confirms this is CVE-2024-27198 — a critical authentication bypass disclosed in March 2024 that allows unauthenticated access to the TeamCity REST API by appending ;.jsp to any URL path. The CVSS score is 9.8 (Critical).

Google search results for "TeamCity 2023.11.3 CVE" showing the top result from Vicarius.io titled "TeamCity Auth bypass to RCE (CVE-2024-27198 and...)" dated 10 May 2024, confirming that JetBrains TeamCity 2023.11.3 is affected by two critical vulnerabilities CVE-2024-27198 and CVE-2024-27199 which allow authentication bypass leading to remote code execution.

Following the TCP stream of the CVE exploitation request shows the server’s XML response confirming the exact TeamCity build information — and then a POST request that creates a new user account with SYSTEM_ADMIN privileges:

Wireshark Follow HTTP Stream for tcp.stream 364 showing the full CVE-2024-27198 exploitation: GEThax?jsp=/app/rest/server;.jsp returns HTTP 200 with XML disclosing TeamCity version 2023.11.3 (build 147512). Immediately followed by POSThax?jsp=/app/rest/users;.jsp with a JSON body creating a new admin account: username "c91oyemw", password "CL5vzdwLuK", email "c91oyemw@example.com", roles: SYSTEM_ADMIN — proving successful unauthenticated account creation.

The attacker then navigated to the admin panel (/admin/admin.html?item=plugins) to confirm their access — the HTTP response confirms the admin panel was served:

Wireshark packet 25336 details showing the HTTP response to GETadmin/admin.html?item=plugins — HTTP/1.1 200 OK with TeamCity-Node-Id: MAIN_SERVER, Content-Type: text/html, and a 194,343-byte chunked response confirming the attacker successfully accessed the TeamCity admin panel with the newly created rogue administrator account.

Answer Q6

What CVE was exploited for authentication bypass?

CVE-2024-27198

Answer Q7

What endpoint did the attacker use to exploit the vulnerability?

/hax?jsp=/app/rest/server;.jsp

Answer Q8

What username and password were used for the rogue admin account?

c91oyemw : CL5vzdwLuK

Answer Q9

What version of TeamCity is running on the server?

2023.11.3

5. Phase 4: Web Shell Upload & Deployment (Questions 10–12)

Objective: Identify the web shell filename, the upload endpoint, and the mechanism used.

With admin access secured, the attacker navigated to the plugin management interface and uploaded a malicious plugin archive. The POST requests filter http.request.method == "POST" && ip.src == 23.158.56.196 reveals the sequence clearly:

Wireshark packet list filtered for POST requests from 23.158.56.196 showing the attack sequence: POSThax?jsp=/app/rest/users;.jsp (account creation), POSThax?jsp=/app/rest/users/id:2/tokens/mD5r0yemB0;.jsp (token generation), POSTadmin/pluginUpload.html application/zip (web shell upload), and multiple POSTplugins/NSt8bHTg/NSt8bHTg.jsp application/x-www-form-urlencoded (web shell command execution).

Following the TCP stream of the plugin upload packet reveals the full multipart form-data payload. The uploaded file is NSt8bHTg.zip — a specially crafted TeamCity plugin archive containing a JSP page that accepts a cmd GET/POST parameter and executes it via ProcessBuilder:

Wireshark Follow HTTP Stream for tcp.stream 365 showing the POSTadmin/pluginUpload.html multipart upload containing NSt8bHTg.zip. The ZIP contains a JSP file (NSt8bHTg.jsp) with Java Scanner-based web shell code that uses ProcessBuilder to execute the value of the "cmd" parameter — a functional OS command execution web shell packaged as a TeamCity plugin.

After the upload, the plugin is automatically installed and activated. All subsequent attacker requests are POST to /plugins/NSt8bHTg/NSt8bHTg.jsp:

Wireshark packet list filtered for http.request.uri contains "NSt8bHTg.jsp" showing dozens of POST requests from 23.158.56.196 toplugins/NSt8bHTg/NSt8bHTg.jsp — confirming the web shell is active and the attacker is sending commands through it.

Answer Q10

What is the filename of the uploaded web shell?

NSt8bHTg.jsp

Answer Q11

What endpoint was used to upload the web shell?

/admin/pluginUpload.html

Answer Q12

What parameter does the web shell accept for command execution?

cmd

6. Phase 5: Container Escape & Credential Tampering (Questions 13–15)

Objective: Reconstruct the commands executed via the web shell, identify the container escape, and document the credential tampering.

Following the web shell communication streams reveals the full command execution chain. One stream stands out — a request where the cmd value (URL-decoded) contains a Docker-specific command sequence designed to escape the container and execute a command on the host:

Wireshark Follow HTTP Stream for tcp.stream 602 showing a POST toplugins/NSt8bHTg/NSt8bHTg.jsp with the cmd parameter URL-decoded as: docker run --rm -it -v:/host ubuntu chroothost — a classic Docker privileged container escape technique that mounts the host root filesystem athost and switches root context to it.

A separate web shell stream shows credential tampering — the attacker used the web shell to write a specially crafted string to a credentials file at /tmp/Creds.txt:

Wireshark Follow HTTP Stream for tcp.stream 547 showing a POST toplugins/NSt8bHTg/NSt8bHTg.jsp with the cmd parameter URL-decoded as: bash -c 'echo "username%3Aa11m%2Cpassword%3Ayouarecompromised%22 >tmp/Creds.txt' — the attacker writing manipulated credential data to a file, consistent with MITRE T1565.001 Stored Data Manipulation.

MITRE ATT&CK T1565.001 (Stored Data Manipulation) maps precisely to this action — the attacker is inserting false credential data into a file to influence downstream processes or mislead incident responders:

MITRE ATT&CK T1565.001 — Data Manipulation: Stored Data Manipulation technique page, describing how adversaries may insert, delete, or manipulate data at rest to influence external outcomes or hide activity. Impact type: Integrity.

Answer Q13

What command was used to escape the Docker container?

docker run --rm -it -v /:/host ubuntu chroot /host

Answer Q14

What file did the attacker write to during the credential tampering phase?

/tmp/Creds.txt

Answer Q15

What MITRE ATT&CK technique does the credential file tampering represent?

T1565.001 — Stored Data Manipulation

7. Conclusion

The JetBrains investigation reconstructs a clean, multi-phase CI/CD server compromise that required no user interaction and no prior credentials — only a vulnerable, internet-exposed TeamCity instance.

  1. Reconnaissance: AbuseIPDB confirmed 23.158.56.196 as a known threat actor IP prior to the incident.
  2. Brute-Force: Automated credential stuffing against /loginSubmit.html (401 responses) — ultimately unsuccessful, but used to profile the login mechanism.
  3. Authentication Bypass: CVE-2024-27198 semicolon injection against /hax?jsp=/app/rest/server;.jsp — unauthenticated SYSTEM_ADMIN account creation in a single API call.
  4. Web Shell: TeamCity plugin upload mechanism abused to deploy NSt8bHTg.jsp — a full OS command execution shell disguised as a plugin.
  5. Container Escape: Docker privileged container mount used to access host filesystem.
  6. Impact: Credential file tampered at /tmp/Creds.txt — Stored Data Manipulation (T1565.001).

Key Takeaways for the SOC:

  1. CVE-2024-27198 is trivially exploitable — a single HTTP request creates a SYSTEM_ADMIN account with no authentication required. Any TeamCity instance below version 2023.11.4 is critically exposed if network-accessible.
  2. Plugin upload = code execution in TeamCity. Restrict plugin upload permissions to dedicated service accounts and audit the plugin directory regularly for unexpected .jsp or .jar files.
  3. Docker without --security-opt no-new-privileges and without proper namespace isolation allows trivial host filesystem access. Always enforce --cgroupns=private and restrict --privileged flag usage.
  4. CI/CD servers are high-value targets — they hold secrets, source code, deployment keys, and often have broad network access. They must be treated as Tier-0 assets with equivalent monitoring and hardening.

Analysis Date: April 21, 2026 Analyst: El OMARI Zakaria

CTF Write-ups, Network Forensics, Incident Response
cyberdefenders jetbrains teamcity cve-2024-27198 auth-bypass webshell docker-escape wireshark pcap credential-tampering brute-force network-forensics
This post is licensed under CC BY 4.0 by the author.