Red-Teaming Cloud Infrastructure with Neo

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://projectdiscovery.io/blog/red-teaming-cloud-infrastructure-with-neo
• Blog Title: Red-Teaming Cloud Infrastructure with Neo
• Suggested Section: Pentesting CI/CD -> TeamCity Security; also cross-reference AWS Pentesting -> AWS - EC2, EBS, SSM & VPC Post Exploitation / IMDS credential theft

🎯 Content Summary

The post describes a full autonomous red-team exercise performed by ProjectDiscovery Neo against an AWS lab modeled after common real-world CI/CD cloud exposure. The starting point was a public JetBrains TeamCity server on ci.[REDACTED].org:8111. From a single high-level prompt, with no step-by-step exploit hints, Neo moved from external reconnaissance to TeamCity administrative access, CI/CD secret theft, AWS instance metadata credential theft, S3 and SSM enumeration, pri...

🔧 Technical Details

TeamCity CVE-2024-27198 authentication bypass: Vulnerable TeamCity versions can route unauthenticated requests through /hax?jsp=/app/rest/<endpoint>;.jsp, causing protected REST endpoints to be treated as authenticated. This can be used first for unauthenticated fingerprinting with GET /hax?jsp=/app/rest/server;.jsp, then for privilege escalation by creating a persistent API token for a privileged user, for example POST /hax?jsp=/app/rest/users/id:1/tokens/RedTeamToken;.jsp. The practical impact is unauthenticated persistent administrator access to the CI/CD platform.

CI/CD compromise as secret exfiltration: Administrative access to a CI/CD server is often equivalent to access to production deployment secrets. Build parameters and project configurations may contain database URLs, SSH private keys, JWT signing secrets, SaaS API keys, and cloud credentials because pipelines need them at runtime. A request such as /...

🤖 Agent Actions

Done: updated src/pentesting-ci-cd/pentesting-ci-cd-methodology.md.

Added a concise TeamCity-focused section covering:

• CVE-2024-27198 unauthenticated REST abuse
• Admin token minting
• Secret extraction from TeamCity project parameters
• EC2 build-agent IMDS credential theft
• AWS follow-up enumeration (S3, SSM, EC2, RDS)
• Private subnet pivoting through the build agent
• HS256 JWT forgery as a pivot primitive
• SQLi via attacker-controlled JWT claims
• TeamCity debug DB REST query abuse

Also updated the file’s ## References with:

• ProjectDiscovery blog
• JetBrains TeamCity advisory
• AWS IMDS metadata options reference

Validation:

• git diff --check passed
• mdbook build could not be run because mdbook is not installed in this environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://projectdiscovery.io/blog/red-teaming-cloud-infrastructure-with-neo

Content Categories: Based on the analysis, this content was categorized under "Pentesting CI/CD -> TeamCity Security; also cross-reference AWS Pentesting -> AWS - EC2, EBS, SSM & VPC Post Exploitation / IMDS credential theft".

Repository Maintenance:

• MD Files Formatting: 584 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0